Introduction:
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service, Master Subscription Agreement, or any other written or electronic agreement governing the provision of services by iClosed (the “Master Agreement”).
This DPA applies only to the extent that iClosed processes Personal Data on behalf of the Customer in its role as a Processor or Service Provider under applicable Data Protection Laws.
Parties and Purpose
1.1 Processor / Independent Controller
You Scale LLC, doing business as iClosed (“iClosed”),
acts:
To the extent that iClosed independently determines the purposes and essential means of processing for limited platform-related activities (including account administration, billing, security, abuse prevention, system integrity, and legal compliance), iClosed acts as an Independent Data Controller for such processing (“iClosed-Controlled Data”); and
as a Data Processor and Service Provider with respect to Customer Personal Data processed solely on documented instructions from the Customer in connection with Customer’s use of the iClosed services for CRM, scheduling, lead management, sales operations, and related functionalities.
For the avoidance of doubt, where iClosed determines technical or operational means of processing Customer Personal Data (including system architecture, security controls, redundancy, and performance optimization), such determinations do not constitute determination of the purposes or essential means of processing within the meaning of Article 4(7) GDPR.
1.2 Customer / Controller
The entity or individual that enters into the Master Agreement with iClosed or otherwise uses the Services (“Customer”).
For purposes of this DPA:
The Customer is the Data Controller (or “Business” under applicable U.S. state privacy laws) with respect to Customer Personal Data processed by iClosed on the Customer’s behalf.
The Customer determines the purposes and means of processing Customer Personal Data, including:
what Personal Data is collected from Data Subjects,
the lawful basis for such processing,
how such data is used within the Service,
and whether such data is shared with third-party systems or integrations enabled by the Customer.
The Customer is solely responsible for:
providing legally adequate privacy notices to Data Subjects;
obtaining any required consents or authorizations;ensuring that its instructions to iClosed comply with Applicable Data Protection Laws; and
ensuring that its use of the Services does not violate applicable privacy, marketing, or communications laws.
iClosed does not control and shall not be responsible for the Customer’s data collection practices, consent mechanisms, or downstream data use decisions.
1.3 Purpose of this DPA
This Data Processing Agreement governs the processing of Customer Personal Data by iClosed solely in its capacity as a Data Processor or Service Provider, acting on behalf of and under the documented instructions of the Customer, in accordance with Article 28 of the GDPR, the CPRA, and other applicable data protection laws, to the extent applicable to such processing.
This DPA does not govern, and does not apply to, any processing of Personal Data by iClosed in its capacity as an independent Data Controller, including processing performed for platform operation, security, analytics, billing, account management, fraud prevention, or legal compliance, which is governed separately by iClosed’s Privacy Policy and applicable law.
Certain optional features or services may be subject to additional feature-specific data processing terms or addenda, which shall apply only where such feature is enabled by the Customer. Without limitation, where Customer enables iClosed’s “iScore” credit intelligence/data enrichment functionality, the iScore Feature Addendum (“Addendum A”) applies and forms part of this DPA solely for that optional feature.
For the avoidance of doubt, informational materials, documentation, help center articles, onboarding content, or marketing materials provided by iClosed do not modify, expand, or override the scope of processing, roles, or obligations set out in this DPA.
1.4. Precedence
In the event of any conflict or inconsistency:
The Standard Contractual Clauses (“SCCs”), where applicable, shall prevail over all other agreements;
This Data Processing Agreement shall prevail over the Master Agreement, Privacy Policy, or any other agreement solely with respect to the processing of Personal Data;
The Master Agreement shall prevail over this DPA with respect to all commercial, financial, and non-data-protection related terms.
Nothing in this DPA shall be construed to modify or override iClosed’s obligations as an independent Data Controller under its Privacy Policy.
1.5. Effective Date
This Data Processing Agreement becomes effective on the earlier of:
the date on which the Customer accepts the Master Agreement; or
the date on which iClosed first processes Customer Personal Data on behalf of the Customer under the Master Agreement.
This DPA applies only to the processing of Personal Data occurring on or after its effective date and does not apply retroactively unless expressly required by Applicable Data Protection Laws.
1.6. Contact Information
For matters relating to data protection, privacy, or this DPA, the Parties may contact each other as follows:
iClosed:
Email: hello@iclosed.io
Registered business address: as set out in the Master Agreement or otherwise made available upon request.
Customer:
iClosed may contact the Customer using the administrative or account contact information provided by the Customer through the Service or the Master Agreement.
Each Party shall ensure that contact details provided for data protection matters remain accurate and up to date.
DEFINITIONS
For the purposes of this Data Processing Agreement (“DPA”), the terms defined below shall have the meanings set forth in this Clause 2.
Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in the applicable Data Protection Laws or, where not defined therein, in the Master Agreement.
Definitions in this DPA apply solely for the purposes of interpreting and enforcing this DPA and do not modify, expand, or limit the definitions or obligations set forth in the Master Agreement, Privacy Policy, or any other agreement between the Parties, except to the extent expressly stated in this DPA.
2.1. Applicable Data Protection Laws
Means all privacy, data protection, and data security laws and regulations that are legally applicable to the processing of Personal Data under this DPA, including, where applicable:
Regulation (EU) 2016/679 (the “GDPR”);
The UK GDPR and Data Protection Act 2018;
The California Consumer Privacy Act, as amended by the CPRA;
The Virginia Consumer Data Protection Act (VCDPA);
The Colorado Privacy Act (CPA);
The Connecticut Data Privacy Act (CTDPA);
The Utah Consumer Privacy Act (UCPA); and
Any other data protection law that expressly applies to the processing activities of a Party under this DPA in its role as Controller or Processor.
For the avoidance of doubt, Applicable Data Protection Laws apply only to the extent and in the jurisdictions in which such laws are legally binding on the relevant Party with respect to the processing activities governed by this DPA.
2.2 Customer Personal Data
“Customer Personal Data” means any Personal Data that is submitted to, generated within, or otherwise made available to the Service by or on behalf of the Customer, and that is processed by iClosed solely in its capacity as a Data Processor and strictly in accordance with the Customer’s documented instructions, including as configured through the Service, APIs, integrations, workflows, and settings.
Customer Personal Data includes, to the extent configured or provided by the Customer, the following categories of data:
Lead and contact information
Appointment and scheduling data
Sales funnel data, deal values, and CRM records
Call outcomes, notes, and sales activity metadata
Custom fields created by the Customer
Uploaded files and assets (e.g., logos, profile images, CSVs)
Automation-triggered messaging data
Technical identifiers associated with Customer-controlled interactions (e.g., IP address, UTM parameters, user-agent, click identifiers)
Customer Personal Data expressly excludes iClosed Controlled Data, which is processed by iClosed in its independent capacity as a Data Controller as defined in Clause 2.5.
2.3. Credit & Financial Enrichment Data
“Credit & Financial Enrichment Data” has the meaning set out in Addendum A and applies only where the Customer enables the iScore feature.
2.4. Credit Enrichment Event
“Credit Enrichment Event” has the meaning set out in Addendum A and applies only where the Customer enables the iScore feature.
2.5. iClosed Controlled Data
“iClosed-Controlled Data” means Personal Data processed by iClosed where, and to the extent that, iClosed independently determines the purposes and essential means of processing for limited platform-related activities, including account administration, billing, security, abuse prevention, system integrity, and legal compliance.
iClosed Controlled Data does not include Customer Personal Data processed by iClosed in its role as a Processor under this DPA.
The purposes and lawful bases for iClosed’s processing of iClosed Controlled Data are governed separately by iClosed’s Privacy Policy and applicable Data Protection Laws.
2.6. Controller
“Controller” has the meaning given in Article 4(7) of the GDPR and similar Applicable Data Protection Laws and refers to the natural or legal person that determines the purposes and means of the processing of Personal Data.
For the purposes of this DPA:
Customer is the Controller of Customer Personal Data; and
iClosed is the Controller of iClosed Controlled Data, where iClosed determines the purposes and means of processing such data independently for platform operation, security, compliance, analytics, and account management.
Nothing in this DPA shall be construed as creating joint controllership between the Parties.
2.7. Processor
“Processor” means an entity that processes Personal Data on behalf of a Controller and on documented instructions from that Controller, as defined in Article 4(8) of the GDPR and similar Applicable Data Protection Laws.
For the purposes of this DPA, iClosed acts as a Processor solely with respect to Customer Personal Data, and only to the extent necessary to provide the Services in accordance with the Master Agreement and Customer’s documented instructions.
2.8. Service Provider
Has the meaning given under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and similar U.S. state privacy laws.
iClosed acts as a Service Provider solely when processing Customer Personal Data on behalf of and under the documented instructions of the Customer, and only for the limited and specified business purposes described in this DPA and the applicable Master Agreement.
In its capacity as a Service Provider, iClosed:
(a) does not sell Customer Personal Data (as defined under the CCPA/CPRA and similar U.S. privacy laws);
(b) does not share Customer Personal Data for cross-context behavioral advertising (as defined under the CPRA);
(c) does not retain, use, or disclose Customer Personal Data for any purpose other than providing the Services or as otherwise permitted by Applicable Data Protection Laws; and
(d) does not combine Customer Personal Data with personal data received from other sources, except as permitted by law.
This definition applies only to Customer Personal Data and does not apply to data processed by iClosed in its capacity as an independent Data Controller.
2.9. Sub-Processor
“Sub-Processor” means any third-party entity engaged by iClosed to process Customer Personal Data on behalf of Customer, where iClosed is acting as a Processor under this DPA.
Sub-Processors process Customer Personal Data only to the extent necessary to support the provision of the Services and only under written agreements imposing data protection obligations equivalent to this DPA, as required by Article 28 of the GDPR and applicable Data Protection Laws.
For clarity:
Vendors engaged by iClosed in its capacity as an independent Controller (including providers of authentication, billing, security monitoring, analytics, logging, consent management, fraud prevention, and platform operations) are not Sub-Processors under this DPA.
Third-party systems, integrations, CRMs, automation tools, tracking tools, or other services enabled or configured directly by Customer act under Customer’s control and are not Sub-Processors of iClosed.
2.10. “Standard Contractual Clauses” or “SCCs”
Means the standard contractual clauses approved by the European Commission pursuant to Article 46 of the GDPR, as updated or replaced from time to time.
Where applicable, the SCCs are incorporated into this DPA by reference and apply to restricted transfers of Customer Personal Data in accordance with Chapter 8 (International Transfers) of this DPA, including:
(a) transfers from the Customer (as Controller) to iClosed (as Processor) under Module 2; and
(b) transfers from iClosed (as Processor) to authorized Sub-Processors or non-EEA personnel under Module 3.
The SCCs apply only to the extent required under Applicable Data Protection Laws and solely with respect to Customer Personal Data subject to a restricted international transfer.
2.11. Data Subject
Means an identified or identifiable natural person to whom Personal Data relates, as defined under the GDPR and other applicable Data Protection Laws.
Depending on the context and role of processing under this DPA, Data Subjects may include:
(a) Customer-controlled Data Subjects, such as individuals whose Personal Data is submitted to the Service by or on behalf of the Customer, including leads, contacts, prospects, or end users interacting with Customer booking forms, schedulers, or CRM workflows; and
(b) iClosed-controlled Data Subjects, such as Customer account holders, authorized users, administrators, billing contacts, and other individuals whose Personal Data is processed by iClosed in its capacity as an independent Controller for platform operation, security, billing, analytics, and compliance purposes.
The classification of a Data Subject does not alter the allocation of Controller and Processor responsibilities set forth in this DPA.
2.12. Data Subject Request
“Data Subject Request” means a request made by or on behalf of a Data Subject to exercise rights granted under Applicable Data Protection Laws, including the right to:
Access
Rectification
Erasure (“right to be forgotten”)
Restriction of processing
Data portability
Objection to processing
Withdrawal of consent
A Data Subject Request may relate to:
(a) Customer Personal Data, where the Customer acts as the Controller and iClosed acts solely as a Processor; or
(b) iClosed Controlled Data, where iClosed acts as an Independent Controller.
For the avoidance of doubt:
Where a Data Subject Request relates to Customer Personal Data, iClosed shall not respond directly to the Data Subject except as required by law, and shall promptly forward the request to the relevant Customer in accordance with this DPA.
Where a Data Subject Request relates to iClosed Controlled Data, iClosed shall respond directly to the Data Subject in its capacity as Controller, subject to Applicable Data Protection Laws.
2.13. Processing / Process
“Processing” or “Process” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, including but not limited to:
collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
This definition shall have the same meaning as set forth in Article 4(2) of the GDPR and equivalent definitions under applicable Data Protection Laws.
2.14. Personal Data Breach
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed in connection with the Services, as defined under Article 4(12) of the GDPR and equivalent provisions of applicable Data Protection Laws.
2.15 Instructions
“Instructions” means the documented, lawful instructions of the Customer directing iClosed’s processing of Customer Personal Data as a Processor, as set out in:
this DPA;
the Master Agreement; and
the Customer’s configuration, use, and operation of the Service, including settings, workflows, automations, integrations, API calls, imports, exports, and other actions initiated by the Customer within the platform.
Instructions must comply with Applicable Data Protection Laws. iClosed shall promptly inform the Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws.
2.16. Security Measures
Means the technical and organizational measures implemented by iClosed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such data, as required under Article 32 of the GDPR and equivalent provisions of applicable Data Protection Laws.
The Security Measures applicable to the processing of Customer Personal Data under this DPA are described in Chapter 6 (Security Measures) of this DPA.
For the avoidance of doubt, Security Measures apply only to processing activities where iClosed acts as a Processor under this DPA and do not create obligations with respect to data processed by iClosed in its capacity as an Independent Controller, except where required by applicable law.
2.17. Retention Period
“Retention Period” means the period during which Personal Data is retained by iClosed in accordance with this DPA, the Master Agreement, applicable Data Protection Laws, and documented Customer instructions, as applicable.
(a) Customer Personal Data (Processor Role)
Customer Personal Data processed by iClosed as a Processor is retained:
For the duration of the Customer’s use of the Services;
Until deletion or export is initiated by the Customer through the platform or upon termination of the Master Agreement; and
Thereafter, in a soft-deleted state for up to one hundred eighty (180) days, unless earlier deletion is requested by the Customer or required by applicable law.
Following the soft-deletion period, Customer Personal Data is permanently deleted or irreversibly anonymized, except where retention is required to comply with legal obligations, resolve disputes, or enforce agreements.
(b) Backups
Encrypted system backups containing Customer Personal Data are retained for a rolling period of up to one hundred eighty (180) days and are automatically overwritten thereafter.
Backup Storage and Restoration. Backups are encrypted, access-controlled, and maintained for business continuity and disaster recovery purposes. Backups are not used for routine production processing and are not searched, queried, or accessed except as necessary to restore availability, integrity, or resilience following a security incident, system failure, or other disaster recovery event, or where required to comply with applicable law. Any restoration is performed by authorized personnel subject to access controls and logging. Where data has been deleted or placed into a soft-deleted state in the production environment, iClosed will maintain and re-apply deletion markers/flags after restoration so that deleted data is not re-enabled for normal use, and is not re-processed other than as necessary to complete the restoration and re-apply such deletion state, and remains subject to the applicable retention and overwrite schedule.
(c) iClosed-Controlled Data (Controller Role)
Personal Data processed by iClosed in its capacity as an independent Controller (including account, billing, security, logging, and compliance data) is retained for as long as necessary to:
Operate, secure, and maintain the Services;
Comply with legal, tax, accounting, or regulatory obligations; or
Establish, exercise, or defend legal claims.
Retention periods for such data are determined by iClosed in accordance with applicable law and its internal data governance policies.
2.18. Documented Instructions
“Documented Instructions” means written instructions provided by Customer to iClosed through the Services, the Master Agreement, an applicable order form, or other written communications expressly identified as instructions for data processing purposes.
ROLES OF THE PARTIES
This Chapter defines the respective roles, responsibilities, and allocation of obligations between the Parties under applicable Data Protection Laws, including but not limited to the GDPR, UK GDPR, CPRA, and similar global privacy laws.
The purpose of this Chapter is to clearly distinguish when iClosed acts as a Data Processor or Service Provider on behalf of the Customer, and when iClosed acts as an independent Data Controller for its own operational data, in order to:
Ensure compliance with GDPR Articles 24, 26, and 28;
Avoid unintended joint controllership;
Provide transparency to supervisory authorities, enterprise customers, and Data Protection Officers (DPOs);
Establish clear responsibility for lawful bases, disclosures, and data subject rights handling.
Each Party remains solely responsible for compliance with its respective obligations under applicable Data Protection Laws, based on the role it performs in relation to the relevant category of Personal Data.
3.1 Dual-Role Processing Structure
iClosed processes Personal Data under this DPA in two strictly separated capacities, depending on the category of data and the purpose of processing.
3.1.1 iClosed as Data Processor (Customer CRM & Scheduling Data)
iClosed acts solely as a Data Processor with respect to Customer Personal Data, meaning Personal Data submitted to the Service by or on behalf of the Customer for the Customer’s own business purposes.
This includes, without limitation, data relating to:
leads and contacts,
scheduling and appointment data,
CRM records,
sales pipeline data,
automation outputs,
messaging metadata,
and any other data configured or uploaded by the Customer.
In this role:
The Customer is the sole Data Controller;
iClosed processes such data only on documented instructions from the Customer, including instructions provided through platform configuration, workflows, APIs, and integrations;
iClosed does not determine the purposes or means of processing such data.
3.1.2 iClosed as Independent Data Controller (Platform Operations Data)
iClosed acts as an independent Data Controller only for Personal Data that it must process for its own legitimate business purposes, separate from Customer CRM and scheduling data.
This includes Personal Data processed solely to:
operate and maintain the Service,
ensure platform security and abuse prevention,
manage user authentication and account access,
administer billing and subscriptions,
perform internal diagnostics, monitoring, and performance analytics,
comply with legal and regulatory obligations.
In this role:
iClosed determines the purposes and means of processing only for this operational data;
Such processing does not involve Customer CRM or scheduling data.
3.1.3 Clarification on Hosted Interfaces
The role allocations set out in Sections 3.1.1 and 3.1.2 apply equally to all customer-facing interfaces operated by iClosed on its infrastructure, including hosted scheduling pages, booking links, embedded forms, and similar user-facing pages through which Customer Personal Data is collected or processed on behalf of the Customer.
For the avoidance of doubt, the operation or hosting of such interfaces by iClosed does not alter the Parties’ respective roles under this Agreement, and does not make iClosed a Data Controller with respect to Customer Personal Data processed through such interfaces.
3.1.4 Customer-Configured Consent and Disclosure Mechanisms
Where the Services allow the Customer to configure consent checkboxes, acknowledgements, disclosures, or similar mechanisms (including through settings, workflows, templates, APIs, or embedded forms), such configurations constitute documented instructions from the Customer to iClosed within the meaning of this Agreement.
iClosed implements such configurations solely as a technical service provider and does not assess the validity, sufficiency, or legal appropriateness of any consent language, disclosure text, or lawful basis selected or provided by the Customer.
3.2. No Joint Controllership
Nothing in this DPA shall be interpreted as creating a relationship of joint controllership between the Parties within the meaning of Article 26 of the GDPR or any similar provision under Applicable Data Protection Laws.
Each Party independently determines the purposes and means of processing Personal Data for which it acts as a Controller.
In particular:
(a) The Customer is solely responsible for determining the purposes and means of processing Customer Personal Data relating to its CRM, scheduling, sales, marketing, and customer engagement activities; and
(b)Where, and to the extent that, iClosed independently determines the purposes and essential means of processing for limited platform-related activities, including account management, billing, security, abuse prevention, system integrity, and legal compliance, iClosed acts as an Independent Data Controller for such processing
The Parties expressly acknowledge that they do not jointly determine the purposes or means of processing any Personal Data under this DPA, and no joint controllership arrangement is intended or implied.
3.3 Customer as Controller of Customer Personal Data
The Customer is the Data Controller with respect to all Customer Personal Data processed by iClosed in its capacity as a Processor.
In this role, the Customer determines the purposes and means of the processing of Customer Personal Data, including but not limited to:
the categories of Personal Data collected from Data Subjects;
the lawful basis for such collection and processing;
the content, configuration, and use of Customer workflows, automations, and communications;
the duration for which Customer Personal Data is retained, subject to the technical capabilities of the Service.
The Customer is solely responsible for:
providing all required notices to Data Subjects;
obtaining and maintaining all necessary consents and lawful bases under Applicable Data Protection Laws;
ensuring that its instructions to iClosed comply with Applicable Data Protection Laws.
iClosed does not determine the purposes or means of the Customer’s processing of Customer Personal Data and does not assume responsibility for the Customer’s compliance with Applicable Data Protection Laws in its role as Controller.
3.4 Customer Instructions
3.4.1 Customer instructs iClosed to process Customer Personal Data solely for the purpose of providing the Service in accordance with:
this DPA;
the Master Agreement; and
Customer’s documented configurations, settings, workflows, integrations, and API usage within the iClosed platform.
3.4.2 Customer acknowledges that its use of the Service including configuring automations, importing or exporting data, enabling integrations, defining workflows, assigning permissions, and initiating communications constitutes documented instructions to iClosed for the purposes of GDPR Article 28(3).
3.4.3 iClosed shall not process Customer Personal Data outside or beyond Customer’s documented instructions, except where required to do so by applicable law, in which case iClosed shall, to the extent legally permitted, notify Customer of such legal requirement.
3.4.4 If iClosed reasonably believes that any instruction infringes Applicable Data Protection Laws, iClosed shall promptly inform Customer and may suspend the relevant processing activity until Customer modifies or confirms the instruction.
3.4.5 Customer remains solely responsible for determining the purposes and lawful bases of processing Customer Personal Data, including compliance with GDPR Article 6, consent requirements, and transparency obligations toward Data Subjects.
3.5 No Intended Joint Controllership
The Parties acknowledge and agree that they do not intend to act as Joint Controllers within the meaning of Article 26 of the GDPR or equivalent provisions under Applicable Data Protection Laws.
Nothing in this DPA shall be interpreted as creating a joint controllership relationship between the Parties.
However, where a competent supervisory authority or court determines that the Parties jointly determine the purposes and essential means of specific processing activities despite the Parties’ intent, the Parties shall cooperate in good faith to:
(a) determine their respective responsibilities for compliance with Applicable Data Protection Laws, including transparency and Data Subject rights; and
(b) document such allocation of responsibilities in a manner compliant with Article 26 GDPR or equivalent requirements, without prejudice to the remaining provisions of this DPA.
3.6 Prohibited Processing
When acting as a Processor for Customer Personal Data, iClosed shall not:
Process Customer Personal Data for any purpose other than providing the Services in accordance with the Customer’s documented instructions, this DPA, and the Master Agreement;
Sell Customer Personal Data or share it for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws;
use Customer Personal Data to train generalized artificial intelligence or machine learning models, or third-party models, in a manner that identifies or profiles individual Data Subjects or Customer business data;
Combine Customer Personal Data with personal data from other customers, except where aggregation or anonymization is performed solely to provide reporting or analytics to that same Customer;
Disclose Customer Personal Data to third parties except as expressly permitted under this DPA or required by Applicable Data Protection Laws.
Nothing in this Clause restricts iClosed from processing personal data as an independent Controller where such processing is expressly described in this DPA, the Privacy Policy, or is necessary to operate, secure, and support the Service.
3.7 Controller Responsibilities of Customer
The Customer, as the Data Controller for Customer Personal Data, is solely responsible for:
Determining the purposes and lawful bases for the processing of Customer Personal Data, including compliance with GDPR Article 6 and any applicable consent requirements;
Providing all required privacy notices to Data Subjects whose data is collected, including notices related to booking forms, embedded schedulers, websites, funnels, CRM systems, and integrations operated by or on behalf of the Customer;
Obtaining, managing, and documenting any consents required under applicable Data Protection Laws, including for email, SMS, tracking technologies, or marketing communications;
Ensuring that all Personal Data submitted to the Service is collected and processed lawfully, fairly, and transparently;
Configuring the Service, including workflows, automations, integrations, and data retention settings, in a manner consistent with applicable Data Protection Laws;
Responding to Data Subject Requests relating to Customer Personal Data, including requests for access, deletion, rectification, restriction, portability, or objection;
Ensuring that any third-party systems, CRMs, analytics tools, automation platforms, or integrations enabled by the Customer comply with applicable Data Protection Laws.
Optional Feature Addenda.
Where Customer enables an optional feature that involves additional data categories or sector-specific compliance requirements (including the iScore feature), the Parties’ additional processing terms and Customer responsibilities for that optional feature are set out exclusively in the applicable Feature Addendum (e.g., Addendum A).
iClosed shall not be responsible for the Customer’s compliance failures, unlawful instructions, or misuse of the Service, provided that iClosed processes Customer Personal Data strictly in accordance with this DPA and the Customer’s documented instructions.
3.8 When iClosed May Act Without Customer Instruction
Notwithstanding any other provision of this DPA, iClosed may process Personal Data without Customer instruction only where iClosed is acting as an Independent Controller, and only to the extent necessary to:
Operate, secure, and maintain the Service, including authentication, account administration, system availability, monitoring, and performance optimization;
Detect, prevent, and investigate fraud, abuse, or security incidents, including rate limiting, anomaly detection, and misuse prevention;
Comply with applicable legal obligations, lawful requests from authorities, court orders, or regulatory requirements;
Maintain audit logs, security logs, and diagnostic records, provided such processing is limited, proportionate, and subject to retention controls;
Perform internal analytics and reporting relating to platform usage, reliability, and service improvement, using aggregated or anonymized data where reasonably possible;
Communicate with the Customer regarding account administration, billing, service notices, security alerts, and support matters.
For the avoidance of doubt:
iClosed does not act without Customer instruction when processing Customer Personal Data in its role as Processor;
iClosed does not use Customer Personal Data for marketing, advertising, profiling, or AI training;
Any processing under this Clause is conducted strictly in iClosed’s capacity as Independent Controller, as disclosed in the Privacy Policy;
These activities do not require Customer approval and do not constitute joint controllership.
Scope, Purpose & Instructions for Processing
This Chapter sets out the scope, nature, purposes, and limitations of the Processing of Personal Data under this Data Processing Agreement, in accordance with Article 28(3) GDPR, applicable U.S. state privacy laws (including the CPRA), and other Applicable Data Protection Laws.
4.1 Scope of Processing as Processor
To the extent iClosed acts as a Data Processor, iClosed processes Customer Personal Data solely on documented instructions from Customer and only for the purpose of providing the iClosed platform and related services under the Master Agreement.
Such processing is strictly limited to activities initiated, configured, or controlled by Customer through the iClosed dashboard, APIs, integrations, workflows, or other service configurations, including:
Lead capture and CRM storage, including data submitted through booking forms, embedded schedulers, pop-ups, manual entry, CSV uploads, and API submissions;
Scheduling and calendar operations, including availability calculations, appointment creation, rescheduling, cancellations, and notifications triggered by Customer configurations;
Sales funnel and workflow operations, including lead routing, assignment, lifecycle updates, and status changes configured by Customer;
Automation and messaging execution, where emails or SMS are sent strictly according to Customer-defined workflows and content; and
Reporting and analytics generated exclusively for Customer’s internal use, derived from Customer Personal Data and visible only within the Customer’s account.
iClosed does not determine the purposes or means of processing Customer Personal Data and does not process such data for its own independent purposes when acting as a Processor.
Any processing activities performed by iClosed outside the scope of Customer instructions, including processing for platform security, abuse prevention, product improvement, billing, legal compliance, or operational analytics, are performed solely in iClosed’s capacity as an Independent Data Controller and are governed separately under this DPA and iClosed’s Privacy Policy.
4.2. Scope of Processing as Independent Controller
When acting as an Independent Controller, iClosed processes Personal Data only to the extent necessary and proportionate to operate, secure, maintain, and improve the iClosed platform and its underlying infrastructure.
This Controller-level processing does not include Customer Personal Data processed under Clause 4.1, and is strictly limited to Personal Data that iClosed must process independently for its own legitimate operational, security, legal, and business purposes, including:
Operate & Improve the Service; Ensuring platform functionality, reliability, performance optimization, feature stability, and service availability.
Maintain Account Lifecycle; Account provisioning, authentication, access management, subscription administration, billing operations, and communications relating to account status, service notices, and support interactions.
Ensure Security & Prevent Abuse; Security monitoring, fraud detection, abuse prevention, incident detection, logging, diagnostics, vulnerability management, and compliance with applicable legal and regulatory obligations.
Consent Management; Recording, storing, and enforcing consent preferences required under applicable cookie, tracking, and privacy regulations, including consent logs and audit records.
Compliance with Law; Compliance with applicable legal obligations, lawful governmental or regulatory requests, and enforcement of contractual, security, and platform policies.
All processing under this Clause is carried out pursuant to GDPR Articles 6(1)(b), 6(1)(c), and/or 6(1)(f), as applicable, and is subject to data minimization, purpose limitation, access controls, and defined retention periods.
Processing under this Clause is performed independently by iClosed and does not require Customer instructions.
4.3. Instructions from Customer
Customer hereby instructs iClosed to process Customer Personal Data strictly in accordance with:
this Data Processing Agreement;
the Master Agreement; and
Customer’s documented configurations, settings, workflows, API usage, integrations, and actions performed within the iClosed platform.
Customer acknowledges and agrees that:
configurations, selections, and actions taken within the iClosed dashboard, APIs, or integrations constitute documented instructions for the purposes of GDPR Article 28(3); and
iClosed does not require separate written instructions for processing activities that are a direct result of Customer’s use and configuration of the Service.
iClosed shall:
process Customer Personal Data only on documented instructions from Customer;
not process Customer Personal Data for any purpose outside the scope of such instructions; and
promptly inform Customer if, in iClosed’s reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law.
Where iClosed is required by Applicable Law to process Customer Personal Data outside Customer instructions, iClosed shall inform Customer of such legal requirement prior to processing, unless prohibited by law.
4.4. Permitted Processing Activities (Processor Role)
When acting as a Data Processor under Clause 4.1, iClosed may perform only those processing activities that are strictly necessary to provide the Services in accordance with the Customer’s documented instructions and the Master Agreement.
Permitted processing activities include:
Collection, storage, organization, structuring, and retrieval of Customer Personal Data within the iClosed platform as configured by the Customer;
Transmission and display of Customer Personal Data within the Customer’s account environment and to Customer-designated recipients or endpoints;
Execution of Customer-configured workflows, automations, scheduling logic, routing rules, notifications, and integrations;
Encryption, backup, recovery, and redundancy operations necessary to ensure availability, integrity, and resilience of the Service;
Aggregation and transformation of Customer Personal Data solely for the purpose of generating reports, dashboards, or analytics that are:
visible only to the Customer, and
used exclusively for the Customer’s internal business purposes;
Technical support activities, limited to troubleshooting, diagnostics, and issue resolution initiated by or on behalf of the Customer.
All such processing is performed:
solely on documented Customer instructions;
without determining independent purposes or means of processing; and
without using Customer Personal Data for iClosed’s own marketing, analytics, profiling, or product training.
For the avoidance of doubt:
iClosed does not use Customer Personal Data to train, fine-tune, or operate generalized artificial intelligence or machine learning models, or third-party models, beyond Customer-configured workflows or the provision of the Services.
Any processing related to platform security, fraud prevention, compliance, telemetry, or product improvement is performed only under iClosed’s role as an Independent Controller and is governed separately under Clause 4.2 and the Privacy Policy.
4.5. Prohibited Processing Activities
When acting as a Data Processor, iClosed shall not, and shall not permit any Sub-Processor to:
process Customer Personal Data for any purpose other than providing the services under the Master Agreement and this DPA;
use Customer Personal Data for product development, behavioral profiling, marketing, advertising, or analytics unrelated to the Customer’s own use of the Service;
sell Customer Personal Data (including for monetary or other valuable consideration) or share Customer Personal Data (for cross-context behavioral advertising / targeted advertising, as defined under applicable U.S. state privacy laws), or otherwise disclose or make Customer Personal Data available to third parties except as expressly permitted under this DPA or required by Applicable Data Protection Laws;
combine Customer Personal Data with data from other customers or external data sources, except where (i) aggregation or anonymization is performed solely to provide reporting/analytics visible only to that same Customer, and/or (ii) such combining is otherwise permitted under Applicable Data Protection Laws;
train, fine-tune, or operate generalized artificial intelligence or machine learning models, or third-party models, in a manner that identifies or profiles individual Data Subjects or Customer business data as prohibited under Clause 5.4.3 (Artificial Intelligence and Machine Learning Restrictions).
attempt to re-identify anonymized or aggregated data;
infer sensitive personal characteristics or special category data from Customer Personal Data; or
process Customer Personal Data in a manner that would violate Applicable Data Protection Laws or Customer’s documented instructions.
Any processing activity not expressly permitted under this DPA is strictly prohibited.
4.6. Customer Configuration as Instructions
The Parties agree that Customer’s documented instructions to iClosed include the configurations, settings, and actions expressly made available within the iClosed platform that relate to the processing of Customer Personal Data solely for the purposes described in this DPA.
Such instructions include, without limitation, Customer actions taken within the Service, including:
creating, modifying, or deleting custom fields;
configuring scheduling logic, availability rules, and routing criteria;
enabling, disabling, or modifying workflows, automations, and notifications;
importing, exporting, or deleting Customer Personal Data;
enabling integrations, webhooks, and API connections initiated by Customer; and
managing user roles, permissions, and access controls within the Customer account.
Customers acknowledge that such configurations constitute documented instructions only to the extent that they are consistent with this DPA, the Master Agreement, and Applicable Data Protection Laws.
For the avoidance of doubt, Customer configurations shall not authorize iClosed to:
process Customer Personal Data for purposes not expressly described in this DPA;
use Customer Personal Data for iClosed’s own marketing, advertising, or profiling purposes;
train or develop artificial intelligence or machine learning models using Customer Personal Data; or
engage in any processing activity expressly prohibited under Clause 4.5.
4.7. Data Minimization Commitment
iClosed shall process Customer Personal Data in accordance with the principles of data minimization, purpose limitation, and proportionality as required under Applicable Data Protection Laws.
When acting as a Data Processor, iClosed shall:
process only the categories of Customer Personal Data that are provided, uploaded, or generated through Customer-initiated use of the Service;
not collect, infer, or generate additional Personal Data beyond what is technically required to deliver the Service as configured by Customer;
avoid processing Customer Personal Data that is excessive in relation to the purposes described in this DPA;
implement technical controls designed to prevent the storage, retention, or propagation of Customer Personal Data that is not necessary for the provision of the Service; and
automatically restrict, delete, or anonymize Customer Personal Data that is identified as unlawfully processed or that violates the Master Agreement or Acceptable Use Policy, where technically feasible.
Nothing in this Clause shall prevent iClosed from processing Personal Data in its capacity as an Independent Data Controller, provided such processing is limited to the purposes expressly described in this DPA and iClosed’s Privacy Policy.
4.8. Duration of Processing
iClosed shall process Customer Personal Data for the duration of the Customer’s use of the Services under the Master Agreement and strictly in accordance with this DPA.
Processing shall continue until the earliest of:
termination or expiration of the Master Agreement;
deletion of Customer Personal Data by Customer through the iClosed platform; or
receipt of a valid deletion instruction from Customer, unless retention is required by Applicable Law.
Upon termination or expiration of the Master Agreement, Customer Personal Data shall be handled as follows:
Customer Personal Data shall be placed into a soft-deleted state, rendering it inaccessible to Customer and end users;
Such data shall be permanently deleted from active systems within one hundred eighty (180) days following termination or receipt of a valid deletion request, subject to iClosed’s standard data deletion workflows and applicable legal obligations; and
Customer Personal Data contained in system backups shall be overwritten or deleted within one hundred eighty (180) days following deletion from active systems, in accordance with iClosed’s standard backup retention and rotation practices, and shall remain logically isolated and inaccessible during such periods.
Following permanent deletion, only anonymized or aggregated data that no longer constitutes Personal Data may be retained by iClosed for statistical, analytical, or service-improvement purposes.
Nothing in this Clause shall require iClosed to delete or modify Personal Data where retention is required to:
comply with applicable legal, regulatory, or tax obligations;
resolve disputes or enforce contractual rights;
complete security investigations or fraud prevention activities; or
maintain system integrity and audit logs.
DATA CATEGORIES & PROCESSING DETAILS
(GDPR Article 28(3) Attachment)
This Chapter forms an integral part of this DPA and sets out, in accordance with GDPR Article 28(3) and equivalent global privacy laws.
The processing activities described in this Chapter apply only to the extent applicable based on whether iClosed is acting as a Data Processor or an Independent Data Controller, as defined in this DPA.
Nothing in this Chapter expands iClosed’s processing activities beyond those expressly permitted under this DPA, the Master Agreement, or Applicable Data Protection Laws.
5.1. Categories of Data Subjects
Depending on the nature of the processing and the role assumed by iClosed under this DPA, Personal Data processed by iClosed may relate to the following categories of Data Subjects:
5.1.1. Customer’s Leads and Contacts
Individuals whose Personal Data is submitted, collected, or otherwise provided by the Customer through the use of the Services, including via:
booking forms, schedulers, pop-ups, or embedded widgets;
Customer-controlled websites, funnels, or landing pages;
manual entry, CSV uploads, API submissions, or integrations configured by the Customer.
These Data Subjects are processed solely under the Customer’s control, and the Customer remains the Data Controller for such data.
5.1.2. Customer’s Authorized Users
Individuals authorized by the Customer to access and use the iClosed platform on the Customer’s behalf, including but not limited to:
account owners;
administrators;
team members, agents, or staff granted access by the Customer.
Processing of such data may occur in both Processor and Independent Controller capacities, depending on the purpose of processing as described in this DPA.
5.1.3. Customer’s Prospective or Anonymous Visitors
Individuals who interact with Customer-configured booking tools or scheduling interfaces prior to submitting identifiable information, including anonymous or pseudonymous visitors whose data may be processed for:
scheduling functionality;
session handling;
security, fraud prevention, or consent enforcement.
Such processing occurs only to the extent technically necessary to provide the Service and is governed by the applicable role allocation under this DPA.
5.1.4. Customer’s Billing and Administrative Contacts
Individuals designated by the Customer for billing, subscription management, invoicing, or account administration purposes.
Processing of such data is generally performed by iClosed as an Independent Controller, as necessary to manage the contractual and billing relationship.
5.1.5. iClosed Personnel (Limited Scope)
Where strictly necessary for operational, security, compliance, or support purposes, Personal Data relating to iClosed personnel or contractors may be processed internally by iClosed in its capacity as an Independent Controller.
5.2. Categories of Customer Personal Data (Processor Role)
When acting as a Data Processor on behalf of the Customer, iClosed processes only the categories of Personal Data that are submitted, generated, or controlled by the Customer through use of the Service.
The categories of Customer Personal Data processed by iClosed as a Processor may include, without limitation:
5.2.1. Lead and Contact Identity Data
Personal Data relating to individuals whose information is collected or managed by the Customer, including:
First and last name
Email address
Telephone number
Timezone and language preference (if provided)
Any additional fields created and configured by the Customer
5.2.2. Appointment and Scheduling Data
Data generated through Customer-configured scheduling activities, including:
Appointment dates and times
Availability selections
Rescheduling and cancellation metadata
Status indicators (e.g., booked, completed, no-show)
5.2.3. CRM and Sales Process Data
Data relating to Customer-defined sales workflows and CRM usage, including:
Lead stage or pipeline status
Deal values and expected revenue
Call outcomes, notes, and internal annotations created by Customer users
Tags, labels, and custom attributes configured by the Customer
5.2.4. Automation and Workflow Data
Data processed as a result of Customer-defined automations, including:
Trigger events and timestamps
Routing and assignment outcomes
Workflow execution metadata
5.2.5. Technical and Usage Identifiers (Customer-Facing)
Limited technical identifiers processed solely to enable Customer-configured functionality, including:
IP address
User-agent and browser information
Device type and operating system
UTM parameters or referral metadata supplied through Customer funnels
5.2.6. Customer-Uploaded Content
Content uploaded by or on behalf of the Customer, including:
CSV files
Images or logos
Documents or other assets associated with CRM or scheduling records
5.2.7 Communication Delivery Metadata
Communication Delivery Metadata, including phone numbers and technical delivery metadata (such as message routing identifiers, delivery status, timestamps, and queuing metadata), processed solely for the purpose of executing Customer-configured email or SMS workflows via AWS End-User Messaging services.
Message content is processed only transiently for delivery and is not stored or used by iClosed for any independent purpose.
5.2.8 Optional Feature Data (Conditional)
Where Customer enables optional features that involve third-party enrichment or similar processing, the relevant data categories and processing details are described in the applicable Feature Addendum (e.g., Addendum A).
5.2.9 Prohibited Data Elements
Unless expressly supported by the Services and agreed in writing by iClosed, Customer shall not submit to the Services Social Security numbers, government-issued identification numbers, full dates of birth, financial account numbers, payment card numbers, bank credentials, authentication credentials, or similarly highly sensitive identifiers (“Prohibited Elements”).
If iClosed becomes aware that Prohibited Elements have been submitted, iClosed may take reasonable steps to block, remove, or minimize further processing of such data in accordance with Applicable Data Protection Laws.
5.3 Categories of iClosed-Controlled Data (Controller Role)
When acting as an Independent Data Controller, iClosed processes limited categories of Personal Data strictly to the extent necessary to operate, secure, maintain, and improve the iClosed platform and its underlying infrastructure, and not for Customer CRM, lead management, scheduling decisions, or sales operations.
Such processing is limited to the following categories:
5.3.1 Account & Authentication Data
Account owner name and email
Team member identifiers and assigned roles
Login credentials (password hashes only; no plaintext passwords)
Authentication logs and session metadata
Role-based access permissions
5.3.2 Billing & Subscription Data
Billing contact information
Subscription plan details
Stripe customer identifiers
Payment method status (no card numbers or full payment details processed by iClosed)
Tax, invoicing, and accounting metadata required by law
5.3.3 Security, Abuse Prevention & Compliance Data
IP address logs used for security monitoring and access control
Rate-limiting, anomaly detection, and abuse-prevention logs
Fraud prevention and misuse detection signals
Audit trails required for legal, security, or compliance purposes
Incident response and investigation records
5.3.4 Platform Telemetry & Operational Analytics
Platform usage metrics related to feature interaction and system performance
Error, crash, and diagnostic logs
Aggregated system health indicators
Non-content telemetry generated by system events, which does not include message bodies, CRM records, lead content, appointment details, sales notes, or workflow data
5.3.5 Consent & Preference Management Data
Cookie consent records
Preference and consent timestamps
Consent withdrawal records
Regulatory compliance logs required to demonstrate lawful processing
5.3.6 Communications with Customer
Customer account communications processed by iClosed in its capacity as an Independent Controller, including:
support emails and support ticket correspondence;
in-platform chat messages initiated by Customer users (if enabled);
internal support notes created solely for troubleshooting, account assistance, or compliance documentation.
Such communications are processed exclusively for customer support, service administration, security, and compliance purposes, and are not used for marketing, profiling, or sales activities.
iClosed Controlled Data expressly excludes Customer CRM records, lead identities, appointment content, sales notes, deal values, message content, and Customer-configured workflows or business logic, all of which remain Customer Personal Data processed solely under Customer instructions as described in Clause 5.2.
Processing under this Clause is performed pursuant to GDPR Articles 6(1)(b), 6(1)(c), and/or 6(1)(f), and is subject to strict data minimization, access control, and retention limitations.
5.4 Purpose of Processing
5.4.1 Processing as Data Processor (Customer Personal Data)
When acting as a Data Processor, iClosed processes Customer Personal Data solely on documented instructions from Customer and exclusively for the purpose of providing the Services under the Master Agreement.
Any technical or organizational measures implemented by iClosed in connection with such processing are limited to enabling the provision, security, and reliability of the Services and do not affect Customer’s role as the sole Data Controller for Customer Personal Data.
Processor-level purposes include only:
capturing, storing, organizing, and displaying Customer CRM and scheduling data within the Customer’s account;
executing scheduling, routing, and workflow logic as configured by the Customer;
delivering Customer-initiated communications (including email and SMS) strictly in accordance with Customer-defined content and workflows;
enabling Customer-requested integrations, imports, exports, and API interactions; and
generating reports and analytics exclusively for the Customer’s internal use, derived from Customer Personal Data and accessible only within the Customer’s account.
Optional Feature Processing (Conditional). Where Customer enables an optional feature that involves third-party enrichment or similar processing (including iScore), iClosed will process the relevant Customer Personal Data solely on Customer’s documented instructions and solely to provide that optional feature, as further described in the applicable Feature Addendum (e.g., Addendum A).
5.4.2 Processing as Independent Data Controller (iClosed Controlled Data)
Where, and to the extent that, iClosed independently determines the purposes and essential means of processing for platform operations, security, billing, compliance, and system integrity, iClosed processes such Personal Data in its capacity as an Independent Data Controller.
Controller-level purposes are strictly limited to:
operating and maintaining the Service, including performance optimization, reliability, and feature stability;
managing account lifecycle activities, including authentication, access management, billing administration, subscription management, and customer communications related to account status;
ensuring platform security, fraud detection, abuse prevention, logging, diagnostics, and incident response;
managing consent preferences and compliance records required under applicable privacy and cookie regulations; and
complying with applicable legal obligations, lawful governmental requests, and enforcement of platform policies.
All processing under this Clause is carried out pursuant to GDPR Articles 6(1)(b), 6(1)(c), and/or 6(1)(f) and is subject to strict data minimization, access control, and retention limitations.
Processing under this Clause does not involve Customer CRM data and does not require Customer instructions.
5.4.3 Artificial Intelligence and Machine Learning Restrictions
iClosed shall not use Customer Personal Data to train, fine-tune, validate, or operate generalized artificial intelligence or machine learning models, including large language models or third-party AI systems, nor to profile Data Subjects or Customer business data.
For the avoidance of doubt, this restriction applies regardless of whether such models are operated internally by iClosed or by third-party providers.
This restriction does not prohibit iClosed from:
processing Customer Personal Data solely as necessary to provide the Services in accordance with Customer’s documented instructions; or
using aggregated or irreversibly anonymized data that no longer constitutes Personal Data, provided such data cannot reasonably be used to identify a Customer or Data Subject.
5.5 Retention Periods
iClosed retains Personal Data only for as long as necessary to fulfill the purposes for which the data is processed, in accordance with Applicable Data Protection Laws, contractual obligations, and legitimate business needs.
5.5.1 Customer Personal Data (Processor Role)
When acting as a Data Processor, iClosed retains Customer Personal Data:
For the duration of the Customer’s active subscription to the Service; and
Customer Personal Data shall be placed into a soft-deleted state, rendering it inaccessible to Customer and end users;
Such data shall be permanently deleted within a commercially reasonable period following termination or deletion request, subject to iClosed’s standard data deletion workflows and applicable legal obligations; and
Customer Personal Data contained in system backups shall be overwritten or deleted in accordance with iClosed’s standard backup retention practices, which are designed to ensure isolation from active systems and protection from further processing.
5.5.2 iClosed Controlled Data (Controller Role)
When acting as an Independent Data Controller, iClosed retains Personal Data processed for platform operations, security, compliance, billing, and analytics for the following periods:
Account and authentication data: Retained for the duration of the account and a reasonable period thereafter for security, audit, and dispute resolution purposes;
Billing and subscription data: Retained for the duration required by applicable tax, accounting, and financial regulations;
Security logs, audit trails, and fraud-prevention data: Retained for as long as necessary to investigate incidents, comply with legal obligations, and maintain system integrity;
Operational telemetry and analytics data: Retained in aggregated or anonymized form where feasible and for periods proportionate to their operational purpose.
5.5.3 Legal and Compliance Exceptions
Notwithstanding the foregoing, iClosed may retain Personal Data for longer periods where retention is required by:
Applicable law or regulatory obligations;
Lawful governmental or judicial requests;
Ongoing security investigations, fraud prevention, or dispute resolution; or
Enforcement of contractual or platform policies.
5.5.4 End of Retention
Upon expiration of applicable retention periods:
Personal Data is securely deleted or irreversibly anonymized; and
Any remaining aggregated or statistical data is no longer attributable to an identifiable individual.
5.6 Geographic Storage & International Transfers
Customer Personal Data processed by iClosed in its capacity as a Processor is primarily hosted and stored within data centers located in the European Union.
Notwithstanding the foregoing, limited and exceptional access to Customer Personal Data may occur from outside the European Economic Area (“EEA”) by authorized iClosed personnel (including engineering, security, and support staff) solely for the purposes of service maintenance, security monitoring, incident response, or customer support.
Such access:
Is strictly role-based and access-controlled;
Occurs only where necessary and proportionate;
Is fully encrypted in transit;
Is logged and monitored; and
Is subject to binding confidentiality obligations.
To the extent Customer Personal Data is transferred to or accessed by Sub-Processors located outside the EEA, such transfers are governed by the EU Standard Contractual Clauses (Modules 2 – Controller to Processor) and supplemented by appropriate technical and organizational safeguards.
Optional Feature Transfers (Conditional). Where Customer enables an optional feature that involves Sub-Processors or processing locations outside the EEA/UK/Switzerland, the applicable transfer mechanism and supplementary safeguards will be described in the applicable Feature Addendum and/or governed by Chapter 8 (International Transfers).
Processing of iClosed Controlled Data (where iClosed acts as an independent Controller) may involve global infrastructure or personnel access and is conducted in accordance with applicable Data Protection Laws and as described in iClosed’s Privacy Policy.
Nothing in this Clause 5.6 shall be interpreted as permitting unrestricted or continuous international transfers of Customer Personal Data.
5.7 U.S. State Privacy Laws
To the extent Applicable Data Protection Laws include the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) or similar U.S. state privacy laws, the Parties acknowledge and agree that:
(a) Customer acts as a “Business” and iClosed acts as a “Service Provider” or “Contractor,” as such terms are defined under the CPRA;
(b) iClosed processes Customer Personal Data solely for the limited and specified purpose of providing the Services in accordance with the Master Agreement and this DPA;
(c) iClosed does not sell or share Customer Personal Data, as such terms are defined under the CPRA, and does not retain, use, or disclose such data for any purpose other than performing the Services or as otherwise permitted under Applicable Data Protection Laws; and
For clarity, under the CPRA, ‘sell’ includes disclosures for monetary or other valuable consideration, and ‘share’ includes disclosures for cross-context behavioral advertising, whether or not for consideration.
(d) iClosed does not combine Customer Personal Data with Personal Data received from other sources except as permitted under Applicable Data Protection Laws.
SECURITY MEASURES
This Chapter describes the technical and organizational measures implemented by iClosed to ensure a level of security appropriate to the risks associated with the processing of Personal Data, in accordance with Article 32 of the GDPR and comparable global data protection laws.
The measures described herein reflect iClosed’s security practices at the time of execution of this DPA and may be updated, modified, or enhanced over time, provided that the overall level of security remains appropriate to the risks presented by the processing, consistent with industry standards and Applicable Data Protection Laws.
6.1 Technical Security Measures
iClosed implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature, scope, context, and purposes of processing, as required under Article 32 GDPR and comparable global privacy laws.
6.1.1 Encryption
Encryption in Transit
All data transmitted between browsers, applications, APIs, and backend infrastructure is encrypted using industry-standard transport layer security (TLS 1.2 or higher).
Encryption at Rest
All databases, file storage, backups, and logs containing Personal Data are encrypted at rest using industry-standard encryption mechanisms, including:
AES-256 encryption; and
Managed key management services provided by the hosting infrastructure provider.
References to specific technical standards are illustrative of current practices and do not constitute a commitment to maintain identical technologies indefinitely.
6.1.2 Network & Infrastructure Security
iClosed employs layered network security controls, including:
Private virtual networks for application and database layers;
No direct public access to production databases;
Strict inbound and outbound traffic controls enforced through firewall rules;
Bastion-less architecture with no public SSH access;
Role-based access to infrastructure services;
Web application firewall protections for application-layer threats; and
Content delivery and edge security services for traffic filtering and mitigation.
6.1.3 Access Controls & Authentication
Access to systems processing Personal Data is restricted to authorized personnel based on the principle of least privilege and includes:
Role-based access control (RBAC);
Granular permission assignment based on job function;
Password hashing using bcrypt or equivalent cryptographic standards;
No storage of plaintext passwords;
Mandatory secure access protocols for internal system access;
Restricted and logged access to production systems; and
Audit logging of access events for security and compliance purposes.
Multi-factor authentication may be implemented where appropriate based on risk assessments and operational requirements.
6.1.4 Application Security
iClosed applies standard application-level security controls, including:
Cross-site request forgery (CSRF) protections;
Mitigation of cross-site scripting (XSS) and injection attacks;
Input validation on critical endpoints;
Rate limiting and abuse prevention mechanisms;
Automated safeguards against bot-based attacks; and
Session integrity controls.
6.1.5 Backup Security
iClosed maintains encrypted backups of production systems, including:
Encrypted snapshot backups;
Rolling retention periods consistent with operational requirements; and
Logical separation of backup storage from primary systems.
Backups are retained only for the duration necessary to support business continuity and recovery obligations.
6.1.6 Monitoring & Logging
iClosed employs continuous monitoring and logging mechanisms to detect, investigate, and respond to security events, including:
Application-level error monitoring;
Infrastructure performance and anomaly monitoring; and
Centralized log aggregation and alerting.
All logs:
Are access-restricted;
Are retained only for limited periods necessary for security and operational purposes; and
Are designed to avoid inclusion of sensitive Personal Data wherever reasonably feasible.
6.1.7 Enhanced Safeguards for Credit & Financial Enrichment Data (Conditional)
Where Customer enables optional features that involve elevated-sensitivity data, iClosed applies additional safeguards appropriate to the nature of such data as described in the applicable Feature Addendum (e.g., Addendum A).
6.1.8 Vulnerability & Abuse Management
iClosed maintains vulnerability and abuse management practices, including:
Automated vulnerability scanning and dependency monitoring;
Regular patching and remediation of identified risks;
Internal review of critical vulnerabilities and security advisories;
Abuse prevention mechanisms such as rate-limiting and anomaly detection; and
Fraud and bot-mitigation controls, including optional device-based signals when enabled.
6.2 Organizational Security Measures
iClosed maintains appropriate organizational measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of Personal Data processed under this DPA, taking into account the nature of the processing, the risks to Data Subjects, and the state of the art.
6.2.1 Personnel Training & Awareness
iClosed ensures that personnel with access to Personal Data:
receive role-appropriate training on data protection principles, information security practices, and confidentiality obligations;
are informed of their responsibilities under applicable Data Protection Laws and this DPA; and
are required to follow internal security and data handling policies relevant to their job functions.
Training is provided upon onboarding and refreshed periodically as appropriate.
6.2.2 Confidentiality Obligations
All iClosed personnel with access to Personal Data are subject to binding confidentiality obligations, including:
contractual or statutory duties of confidentiality;
restrictions on accessing Personal Data except as required to perform assigned duties; and
prohibitions on unauthorized disclosure, copying, or use of Personal Data.
These obligations survive termination of employment or engagement.
6.2.3 Access Governance & Least Privilege
iClosed implements access governance controls to ensure that:
access to systems processing Personal Data is granted strictly on a need-to-know basis;
access rights are role-based and limited to the minimum necessary for job responsibilities;
access permissions are reviewed periodically and adjusted promptly upon role changes or termination; and
privileged access to production systems is restricted and logged.
6.2.4 Vendor & Sub-Processor Due Diligence
Before engaging Sub-Processors that may process Customer Personal Data, iClosed conducts reasonable due diligence to assess:
the Sub-Processor’s security posture and data protection commitments;
contractual safeguards consistent with this DPA, including confidentiality and security obligations; and
the applicability of cross-border transfer safeguards where relevant.
Ongoing oversight is maintained in accordance with Clause 7 (Sub-Processors).
6.2.5 Incident Response & Breach Management
iClosed maintains documented procedures for identifying, responding to, and mitigating security incidents and Personal Data Breaches, including:
internal escalation and investigation workflows;
coordination between engineering, security, and legal functions; and
processes to assess impact and implement corrective measures.
Notification obligations toward Customers are governed by Chapter 9 of this DPA.
6.2.6 Data Minimization & Retention Governance
Organizational controls are in place to support data minimization and retention limits, including:
defined retention periods aligned with operational and legal requirements;
procedures for secure deletion or anonymization where applicable; and
internal controls to prevent unnecessary retention or use of Personal Data.
6.2.7 Governance Controls for Optional Sensitive Feature Data (Conditional)
Where Customer enables optional features that involve elevated-sensitivity data, iClosed maintains additional organizational controls appropriate to the nature of such data as described in the applicable Feature Addendum (e.g., Addendum A).
6.2.8 Remote Access Safeguards (For Non-EU Personnel)
Where authorized iClosed personnel located outside the EEA remotely access Customer Personal Data hosted within the EEA, such access is assessed in accordance with GDPR Chapter V. Where such access constitutes a restricted international transfer, appropriate safeguards are applied in accordance with this DPA.
Accordingly, the following safeguards apply:
Access is governed by EU Standard Contractual Clauses as applicable based on the roles of the Parties and the nature of the processing;
All access is encrypted in transit and logged;
Customer Personal Data is not downloaded or stored on local devices;
Strict role-based access controls apply, including least-privilege access for support staff;
Zero-trust principles are applied to internal systems; and
Remote access is permitted only through secured endpoints and authenticated channels.
These measures are designed to satisfy the requirements of GDPR Chapter V and applicable regulatory guidance concerning restricted international transfers.
6.2.9 Continuous Improvement
iClosed periodically reviews and updates its organizational security measures to address:
changes in applicable law;
evolving security risks; and
material changes to the Service or processing activities.
Sub-Processors
iClosed engages certain third-party service providers (“Sub-Processors”) to support the delivery, operation, security, and maintenance of the iClosed platform.
Sub-Processors process Customer Personal Data only where strictly necessary to perform services on iClosed’s behalf and only in accordance with iClosed’s documented instructions, this DPA, and Applicable Data Protection Laws.
iClosed shall ensure that:
(a) each Sub-Processor is subject to a written agreement imposing data protection obligations that are no less protective than those set out in this DPA, including confidentiality, security, and restricted processing requirements;
(b) Sub-Processors process Customer Personal Data solely for the limited and specified purposes necessary to support the Services;
(c) Sub-Processors implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage; and
(d) iClosed remains responsible, in accordance with Article 28(4) GDPR, for the performance of each Sub-Processor’s data protection obligations to the extent required by Applicable Data Protection Laws.
For the avoidance of doubt:
Customer-enabled third-party integrations, including CRMs, automation tools, analytics tools, and tracking technologies selected and configured directly by Customer, are not Sub-Processors of iClosed; and
iClosed does not control, instruct, or assume responsibility for processing activities performed by such Customer-controlled third parties.
iClosed maintains an up-to-date list of authorized Sub-Processors used to process Customer Personal Data (the “Sub-Processor List”). The Sub-Processor List is available at: https://iclosed.io/sub-processors and may also be provided upon written request. Notification of any intended addition or replacement of Sub-Processors, and Customer’s objection rights, are governed exclusively by Clauses 7.4 and 7.5.
7.1 Authorized Sub-Processors
Customer hereby authorizes iClosed to engage Sub-Processors for the purposes of providing the Services, including the following categories of processing support:
7.1.1 Authorized Sub-Processor Categories
iClosed may engage Sub-Processors for:
(a) Cloud Infrastructure & Hosting
Compute, storage, networking, backups, content delivery, and security infrastructure.
(b) Email and Messaging Delivery
Transactional and system-generated emails and SMS messages initiated by Customer configurations.
(c) Payment & Subscription Management
Billing, invoicing, and subscription administration (payment processing performed directly by the payment provider).
(d) Analytics, Monitoring & Diagnostics
Product analytics, performance monitoring, error tracking, and system diagnostics, subject to strict data minimization and logging controls.
(e) Consent & Preference Management
Collection, storage, and enforcement of user consent and preference records where required by law.
(f) Security, Fraud Prevention & Abuse Detection
Limited technical signals used solely to protect the Service against abuse, fraud, or malicious activity, where enabled.
Additional Sub-Processors may be engaged for optional features only where such features are enabled by Customer and will be disclosed in the Sub-Processor List and/or the applicable Feature Addendum (e.g., Addendum A).
Clarifications
Sub-Processors do not process Customer Personal Data for their own independent purposes.
Sub-Processors are not permitted to use Customer Personal Data for marketing, advertising, or AI training, in accordance with Clause 5.4.3 (Artificial Intelligence and Machine Learning Restrictions).
Sub-Processors are contractually bound to confidentiality, security, and data protection obligations at least equivalent to those set out in this DPA.
7.1.2 Customer-Controlled Integrations
For the avoidance of doubt:
Third-party tools, CRMs, analytics platforms, automation tools, or tracking technologies enabled or integrated by Customer (e.g., CRMs, marketing pixels, automation platforms) are not Sub-Processors of iClosed.
Such third parties act as independent Controllers or Processors under Customer’s control.
The customer is solely responsible for ensuring lawful use, disclosure, and compliance for those integrations.
7.2 Customer-Controlled Integrations (Not Sub-Processors)
The Parties acknowledge that certain third-party services may be connected to the iClosed platform solely at the direction and discretion of the Customer (“Customer-Controlled Integrations”).
Such Customer-Controlled Integrations are not Sub-Processors of iClosed, because:
(a) the Customer independently selects, enables, and configures such integrations;
(b) the Customer determines the purposes and means of any data processing performed by such third parties; and
(c) iClosed does not determine how such third parties process Personal Data once data is transmitted pursuant to Customer instructions.
Examples of Customer-Controlled Integrations include, without limitation:
Customer-selected CRM systems (e.g., HubSpot, Salesforce, Pipedrive, Close, Zoho);
Automation and workflow tools (e.g., Zapier, Make.com, custom webhooks);
Customer-owned analytics, tracking, or advertising technologies (e.g., Google Analytics, Facebook Pixel, Hyros, TikTok Pixel);
Customer-managed AI tools or third-party messaging providers configured outside the iClosed platform.
For such Customer-Controlled Integrations:
the Customer acts as the Data Controller (or equivalent role under applicable law);
the third-party service provider acts as an independent Controller or Processor directly engaged by the Customer; and
iClosed’s role is limited to transmitting data in accordance with the Customer’s documented instructions.
The Customer is solely responsible for:
assessing the compliance of Customer-Controlled Integrations with Applicable Data Protection Laws;
entering into any required data processing agreements with such third parties; and
ensuring appropriate legal bases, disclosures, and safeguards for any onward transfers initiated by the Customer.
iClosed shall not be responsible or liable for the data protection practices, security measures, or legal compliance of Customer-Controlled Integrations.
7.3. Sub-Processor Obligations
iClosed shall ensure that any Sub-Processor engaged to process Customer Personal Data on iClosed’s behalf is subject to a written agreement that imposes data protection obligations that are no less protective than those set out in this DPA, as required under Article 28(4) GDPR and applicable Data Protection Laws.
Without limiting the foregoing, iClosed shall ensure that each Sub-Processor is contractually obligated to:
(a) process Customer Personal Data only on documented instructions from iClosed, consistent with Customer instructions under this DPA;
(b) implement appropriate technical and organizational security measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage;
(c) ensure that personnel authorized to process Customer Personal Data are subject to binding confidentiality obligations;
(d) support compliance with applicable international transfer safeguards, including execution of EU Standard Contractual Clauses (Modules 2 and/or 3, as applicable), where Customer Personal Data is accessed or processed outside the EEA;
(e) notify iClosed without undue delay of any Personal Data Breach involving Customer Personal Data, to enable iClosed to meet its notification obligations under this DPA;
(f) assist iClosed, where applicable and proportionate, in meeting obligations relating to data security, breach response, and Data Subject rights under Applicable Data Protection Laws; and
(g) upon termination of the Sub-Processor’s services, delete or return Customer Personal Data in accordance with iClosed’s instructions, unless retention is required by law.
iClosed shall remain fully responsible for the performance of each Sub-Processor’s obligations under this DPA to the same extent as if iClosed were performing the services directly.
7.4 Notification of New Sub-Processors
iClosed shall provide Customer with advance notice of any intended addition or replacement of a Sub-Processor that processes Customer Personal Data by:
(a) updating the Sub-Processor List referenced in this DPA; and
(b) providing at least thirty (30) days’ prior notice through reasonable means, including electronic notification or publication on iClosed’s website or documentation.
Customer’s right to object to such changes is governed by Clause 7.5.
7.4.1 Emergency Replacements
Notwithstanding Clause 7.4, iClosed may replace or add a Sub-Processor on shorter notice where reasonably necessary to (a) address an urgent security risk, (b) avoid material service disruption, or (c) comply with applicable law. In such cases, iClosed will notify Customer as soon as reasonably practicable and Customer may object in accordance with Clause 7.5 within thirty (30) days of the Notice Date.
7.5. Customer Objection Rights
Customer may object to the engagement of a new or replacement Sub-Processor only where Customer reasonably demonstrates that the Sub-Processor’s involvement would materially increase the risk to Customer Personal Data or would cause Customer to be in violation of Applicable Data Protection Laws.
Any objection must:
be submitted in writing to iClosed at hello@iclosed.io;
be based on documented and reasonable data protection grounds; and
be received within thirty (30) days of Customer’s receipt of notice under Clause 7.4.
Upon receipt of a valid objection, iClosed shall, acting in good faith and using commercially reasonable efforts:
propose a commercially reasonable alternative Sub-Processor; or
implement additional technical or organizational safeguards designed to mitigate the identified risk.
If iClosed determines that no reasonable alternative or mitigation is available, Customer may terminate the affected portion of the Services without penalty, and such termination shall constitute Customer’s sole and exclusive remedy with respect to such objection. Customers shall not be entitled to object to a Sub-Processor based solely on commercial preferences, jurisdictional location alone, or generalized risk concerns not specific to the proposed Sub-Processor.
7.6 Liability for Sub-Processors
iClosed remains responsible for the performance of its Sub-Processors’ obligations with respect to the processing of Customer Personal Data to the same extent that iClosed would be responsible if it were performing such processing directly, in accordance with Applicable Data Protection Laws and this DPA.
iClosed shall ensure that each Sub-Processor engaged to process Customer Personal Data is bound by a written agreement that:
(a) imposes data protection obligations substantially equivalent to those set out in this DPA, including confidentiality, security, and data protection requirements;
(b) restricts processing of Customer Personal Data to the purposes necessary to support the Services and only on documented instructions from iClosed; and
(c) includes appropriate safeguards for international data transfers where applicable.
Notwithstanding the foregoing, iClosed shall not be liable for the acts or omissions of Sub-Processors to the extent such acts or omissions result from:
Customer instructions or configurations provided through the Service;
Customer-controlled integrations, systems, or third-party tools; or
Customer’s failure to comply with Applicable Data Protection Laws.
Nothing in this Clause 7.6 shall be interpreted as creating joint controllership between Customer and any Sub-Processor.
7.7 International Transfers by Sub-Processors
Where a Sub-Processor engaged by iClosed processes or accesses Customer Personal Data outside the European Economic Area (“EEA”), iClosed shall ensure that such transfer is subject to appropriate safeguards in accordance with Chapter V of the GDPR and other applicable Data Protection Laws.
Without limitation, such safeguards shall include:
(a) execution of the EU Standard Contractual Clauses (“SCCs”), including:
Module 2 (Controller → Processor), and/or
Module 3 (Processor → Sub-Processor),
as applicable to the transfer context;
(b) implementation of supplementary technical and organizational measures designed to protect Customer Personal Data against unauthorized access, disclosure, or governmental overreach, including encryption, access controls, and data minimization; and
(c) assessment of the legal framework of the destination country through a documented transfer impact assessment (“TIA”), where required under Applicable Data Protection Laws.
iClosed shall remain responsible for ensuring that any Sub-Processor provides a level of protection for Customer Personal Data that is essentially equivalent to that guaranteed under Applicable Data Protection Laws.
For the avoidance of doubt:
Sub-Processors shall not engage in onward transfers of Customer Personal Data without appropriate safeguards;
Sub-Processors shall process Customer Personal Data solely for the purposes of providing services to iClosed and in accordance with iClosed’s documented instructions; and
iClosed remains fully liable to Customer for the performance of its Sub-Processors’ data protection obligations under this DPA.
This Clause does not restrict iClosed from using Sub-Processors with global operations, provided that the requirements of this Clause are met.
7.8 Technical and Organizational Safeguards for Sub-Processors
iClosed shall ensure that each Sub-Processor engaged to process Customer Personal Data on its behalf implements appropriate technical and organizational measures designed to protect such data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Such safeguards shall be commensurate with the nature, scope, context, and purposes of the processing, and shall include, as applicable:
encryption of Personal Data in transit and at rest;
access controls limiting data access to authorized personnel on a need-to-know basis;
logical separation of Customer Personal Data from other customers’ data where appropriate;
incident detection and response procedures; and
confidentiality obligations binding Sub-Processor personnel.
iClosed shall ensure that no Sub-Processor receives access to Customer Personal Data beyond what is strictly necessary to perform the services for which it is engaged.
iClosed shall remain responsible, in accordance with Clause 7.6, for ensuring that Sub-Processors process Customer Personal Data in compliance with this DPA and Applicable Data Protection Laws.
7.9 Sub-Processor Audit Rights
iClosed shall maintain appropriate oversight of its Sub-Processors and shall assess their data protection and security practices on a periodic basis, taking into account the nature of the processing and the risks to Customer Personal Data.
Such oversight may include, as appropriate:
review of Sub-Processor security documentation, policies, and procedures;
review of relevant third-party audit reports or certifications (such as SOC 2 Type II, ISO 27001, or equivalent), where available; and
contractual commitments requiring Sub-Processors to implement technical and organizational measures consistent with this DPA.
Customer acknowledges and agrees that:
Customer shall not have a direct audit right over iClosed’s Sub-Processors;
iClosed is not required to disclose confidential security information, trade secrets, or Sub-Processor proprietary materials; and
on-site audits of Sub-Processors are not required unless expressly mandated by Applicable Data Protection Laws.
Upon reasonable written request, iClosed shall provide Customer with a summary of the oversight measures applied to Sub-Processors, or copies of relevant audit summaries or certifications, to the extent legally permissible and subject to confidentiality obligations.
Nothing in this Clause obligates iClosed to obtain bespoke audit reports, allow direct Sub-Processor access, or conduct audits beyond what is commercially reasonable and customary for SaaS providers of similar size and risk profile.
7.10 Termination of Sub-Processor Access
Upon termination or expiration of a Sub-Processor’s engagement involving the processing of Customer Personal Data, iClosed shall ensure that such Sub-Processor, without undue delay:
(a) Ceases all processing of Customer Personal Data on behalf of iClosed;
(b) Returns or securely deletes all Customer Personal Data in its possession or control, unless retention is required by applicable law;
(c) Revokes all access credentials, API keys, tokens, and permissions previously granted to the Sub-Processor;
(d) Implements appropriate safeguards to ensure that no residual access to Customer Personal Data remains; and
(e) Provides written confirmation to iClosed, upon request, that the obligations in this Clause have been fulfilled.
Where deletion is technically infeasible due to lawful backup or archival systems, the Sub-Processor shall:
continue to protect such data in accordance with this DPA and Applicable Data Protection Laws;
restrict access strictly to authorized personnel; and
permanently delete such data in accordance with its standard retention and deletion cycles.
iClosed shall remain responsible and fully liable for compliance with this Clause and for any acts or omissions of its Sub-Processors in relation to Customer Personal Data, in accordance with Clause 7.6.
INTERNATIONAL TRANSFERS & STANDARD CONTRACTUAL CLAUSES
This Chapter describes the circumstances under which Personal Data processed under this DPA may be subject to international transfers, and the legal safeguards implemented to ensure compliance with Chapter V of the GDPR and comparable global data transfer requirements.
For the purposes of this DPA:
Customer Personal Data processed by iClosed in its capacity as a Data Processor is hosted primarily within the European Union; however,
Certain processing activities may involve restricted international transfers, including remote access by authorized personnel or processing by Sub-Processors located outside the European Economic Area (“EEA”).
iClosed does not engage in unrestricted, bulk, or systematic transfers of Customer Personal Data outside the EEA. Any international access or transfer occurs only where necessary, proportionate, and subject to appropriate legal, technical, and organizational safeguards.
Where a transfer of Customer Personal Data to a third country occurs that does not benefit from an adequacy decision under GDPR Article 45, such transfer shall be governed by Standard Contractual Clauses (“SCCs”) adopted by the European Commission pursuant to GDPR Article 46, together with supplementary measures as required.
This Chapter sets out:
the scenarios in which international transfers may occur;
the legal mechanisms relied upon to legitimize such transfers; and
the safeguards applied to protect Customer Personal Data during international access or processing.
Processing of Personal Data for which iClosed acts as an Independent Controller may involve global infrastructure or personnel access and is governed separately under applicable Data Protection Laws and iClosed’s Privacy Policy.
8.1 Standard Contractual Clauses
To the extent that the processing of Personal Data involves a restricted international transfer under Applicable Data Protection Laws, such transfer shall be governed by the EU Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 (“SCCs”).
For the avoidance of doubt, with respect to Customer Personal Data processed under this DPA, the Parties acknowledge that Customer acts as Data Controller and iClosed acts as Data Processor, and therefore Module Two (Controller to Processor) applies.
For transfers of Customer Personal Data subject to the UK GDPR, the EU Standard Contractual Clauses incorporated into this DPA shall be deemed amended and supplemented by the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, which is hereby incorporated by reference.
For transfers of Customer Personal Data subject to Swiss data protection laws, references to the GDPR in the Standard Contractual Clauses shall be interpreted to include the Swiss Federal Act on Data Protection, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.
The applicable SCC module shall be determined based on the respective roles of the Parties for the relevant processing activity, as set out in this DPA:
(a) Module One (Controller to Controller) applies where both Parties act as independent Data Controllers;
(b) Module Two (Controller to Processor) applies where Customer acts as Data Controller and iClosed acts as Data Processor; and
(c) Module Three (Processor to Processor) applies only where both Parties act as Data Processors for the same Personal Data.
The Annexes to the SCCs shall be deemed completed by reference to the relevant sections of this DPA, including:
Annex I (List of Parties and Description of Transfer):Clauses 1, 3, 4, and 5 of this DPA, together with the Master Agreement and applicable order forms;
Annex II (Technical and Organizational Measures): Chapter 6 of this DPA; and
Annex III (List of Sub-Processors): Clause 7 of this DPA.
In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail to the extent required by Applicable Data Protection Laws.
8.2 Hosting Location
Customer Personal Data processed by iClosed in its capacity as a Data Processor is hosted and stored within cloud infrastructure located in the European Union.
Hosting Customer Personal Data within the EU reduces the need for cross-border transfers; however, hosting location alone does not eliminate all transfer obligations under GDPR where:
authorized iClosed personnel located outside the EEA access Customer Personal Data on a limited and controlled basis; or
Sub-Processors established outside the EEA provide supporting services that involve access to Customer Personal Data.
Such scenarios are addressed explicitly in the subsequent clauses of this Chapter and may constitute restricted international transfers under Applicable Data Protection Laws, depending on the nature and circumstances of the access.
Where such access qualifies as a restricted international transfer, iClosed applies appropriate safeguards in accordance with this DPA, including Standard Contractual Clauses and supplementary technical and organizational measures.
8.3 Remote Access by Non-EU Personnel
Although Customer Personal Data is hosted and stored within data centers located in the European Union, iClosed may permit limited and controlled remote access to such data by authorized personnel located outside the European Economic Area (“EEA”), including engineering, security, and support staff, solely where necessary for the purposes of service maintenance, security monitoring, incident response, or customer support.
Any such remote access:
is strictly limited to personnel with a demonstrated operational need;
is subject to role-based access controls and least-privilege principles;
occurs exclusively through secured and authenticated endpoints;
is encrypted in transit using industry-standard encryption protocols;
is logged, monitored, and auditable; and
is subject to binding confidentiality and data protection obligations.
Although Customer Personal Data is hosted and stored within the European Union, iClosed may permit limited and controlled remote access by authorized personnel located outside the EEA for operational, security, or support purposes.
Such remote access is evaluated on a case-by-case basis in accordance with GDPR Chapter V. Where the access qualifies as a restricted international transfer, iClosed applies appropriate safeguards, including Standard Contractual Clauses and supplementary technical and organizational measures, as required.
8.4 International Transfers by Sub-Processors
Where a Sub-Processor engaged by iClosed processes or accesses Customer Personal Data from a location outside the European Economic Area (“EEA”), such processing shall constitute a restricted international transfer under GDPR Chapter V.
iClosed shall ensure that any such transfer is subject to appropriate safeguards in accordance with Article 46 GDPR, including, as applicable:
(a) the execution and incorporation of the European Commission-approved Standard Contractual Clauses (“SCCs”), including:
Module 2 (Controller to Processor), where applicable; and/or
Module 3 (Processor to Sub-Processor), where applicable;
(b) the implementation of supplementary technical and organizational measures designed to ensure a level of protection essentially equivalent to that guaranteed within the EEA, including:
encryption in transit and at rest;
access restrictions based on least-privilege principles;
logging and monitoring of access; and
contractual confidentiality obligations binding Sub-Processor personnel;
(c) the performance and documentation of Transfer Impact Assessments (“TIAs”) where required under applicable Data Protection Laws.
Sub-Processors shall be contractually prohibited from engaging onward transfers of Customer Personal Data to additional third parties without iClosed’s prior authorization and without equivalent safeguards being in place.
Nothing in this Clause 8.4 shall be interpreted as permitting unrestricted, continuous, or bulk international transfers of Customer Personal Data. All transfers shall be limited to what is necessary for the provision of the Services and subject to ongoing oversight by iClosed.
8.5 Transfer Safeguards Implemented
All international transfers of Customer Personal Data carried out under this DPA are subject to appropriate safeguards in accordance with GDPR Articles 44–46 and comparable global data transfer requirements.
Where iClosed transfers or permits access to Customer Personal Data outside the European Economic Area (“EEA”), iClosed implements the following safeguards:
8.5.1 Standard Contractual Clauses (SCCs)
The Parties agree that the EU Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914 are incorporated by reference into this DPA and apply automatically where required:
Module 2 (Controller → Processor) applies where Customer is the Controller and iClosed acts as Processor;
Module 3 (Processor → Sub-Processor) applies where iClosed engages Sub-Processors that process Customer Personal Data outside the EEA.
No additional signatures are required for the SCCs to take effect.
In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail with respect to international data transfers.
8.5.2 Transfer Impact Assessments (TIAs)
Where required under Applicable Data Protection Laws, iClosed conducts and maintains Transfer Impact Assessments to evaluate:
the legal framework of the destination country;
the nature of the transferred data;
the likelihood of governmental access inconsistent with EU data protection standards; and
the effectiveness of supplementary safeguards.
TIAs are reviewed periodically and updated where material changes occur.
8.5.3 Technical Safeguards
To supplement the SCCs, iClosed implements appropriate technical safeguards, including:
encryption of Customer Personal Data in transit using industry-standard protocols;
encryption at rest within secure infrastructure;
role-based access controls and least-privilege access principles;
logging and monitoring of access to Customer Personal Data; and
restrictions on local storage, copying, or export of Customer Personal Data by authorized personnel.
8.5.4 Organizational Safeguards
iClosed applies organizational measures designed to ensure lawful and secure transfers, including:
confidentiality obligations for all personnel with access to Customer Personal Data;
internal access governance and authorization procedures;
mandatory data protection and security training; and
documented incident response and escalation procedures.
8.5.5 Contractual Safeguards with Sub-Processors
All Sub-Processors engaged by iClosed that may process Customer Personal Data outside the EEA are contractually required to:
enter into SCCs (Module 3) or equivalent lawful transfer mechanisms;
implement technical and organizational measures equivalent to those required under this DPA;
restrict onward transfers without appropriate safeguards; and
notify iClosed of any inability to comply with the transfer safeguards.
Nothing in this Clause 8.4 shall be interpreted as permitting unrestricted, bulk, or continuous international transfers of Customer Personal Data. All transfers are limited to what is necessary and proportionate for the purposes described in this DPA.
8.6. Lawful Basis for International Transfers
Any transfer of Customer Personal Data to a country outside the European Economic Area (“EEA”) is carried out in compliance with Chapter V of the GDPR and is based on one or more of the following lawful transfer mechanisms, as applicable:
(a) Standard Contractual Clauses (SCCs)
Where Customer Personal Data is transferred to or accessed by iClosed or its Sub-Processors in a third country that does not benefit from an adequacy decision under Article 45 GDPR, such transfers are governed by the European Commission’s Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR:
Module 2 (Controller to Processor), where iClosed acts as a Processor; and/or
Module 3 (Processor to Sub-Processor), where applicable.
(b) Supplementary Measures
Transfers subject to SCCs are supplemented by appropriate technical, organizational, and contractual safeguards, including but not limited to:
Encryption in transit and at rest;
Role-based access controls and least-privilege access;
Logging and monitoring of access;
Confidentiality obligations for authorized personnel; and
Transfer Impact Assessments (“TIAs”) where required.
(c) Necessity for Contract Performance
In limited circumstances, transfers may be necessary for the performance of the contract between Customer and iClosed pursuant to Article 49(1)(b) GDPR, provided such transfers are occasional and proportionate.
(d) Legal Compliance
Transfers may also occur where required to comply with applicable legal obligations, lawful governmental requests, or regulatory requirements, subject to appropriate safeguards.
For the avoidance of doubt, iClosed does not rely on consent under Article 49(1)(a) GDPR as a primary transfer mechanism for Customer Personal Data.
8.7 Customer Restrictions on Direct International Transfers
Customer shall not instruct iClosed to transfer, disclose, or otherwise make available Customer Personal Data to any third party or destination located outside the European Economic Area (“EEA”) unless Customer has independently ensured that such transfer complies with Applicable Data Protection Laws.
Without limitation, Customer shall be solely responsible for:
(a) ensuring a valid legal basis exists for any Customer-initiated international transfer of Customer Personal Data, including through exports, APIs, integrations, or third-party tools enabled by Customer;
(b) implementing appropriate transfer safeguards where required, including Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms;
(c) ensuring that any third parties or systems designated by Customer provide adequate data protection guarantees; and
(d) complying with all transparency, notice, and consent obligations owed to Data Subjects in connection with such transfers.
iClosed shall not be responsible or liable for any international transfer of Customer Personal Data initiated, configured, or controlled by Customer outside the scope of this DPA or the Services, including transfers performed via Customer-enabled integrations, exports, or downstream processing systems.
Nothing in this Clause obligates iClosed to assess, approve, or monitor the legality of Customer-initiated international transfers.
8.8 Data Localization Options (Optional Enterprise Feature)
Data localization requirements may vary depending on Customer’s regulatory, contractual, or internal compliance obligations.
Where expressly agreed in writing as part of an enterprise subscription or separate data processing addendum, iClosed may offer optional data localization or access-restriction configurations, which may include:
hosting Customer Personal Data in a specified geographic region;
limiting administrative or support access to designated regions; or
implementing enhanced access controls or segregation measures.
Any such data localization measures:
are not provided by default;
are subject to technical feasibility and commercial agreement;
do not eliminate all international access where remote support, security monitoring, or incident response is required; and
do not apply to iClosed Controlled Data processed in iClosed’s capacity as an Independent Controller.
Customer acknowledges that:
standard operation of the Service involves limited, controlled international access as described in this DPA;
localization measures do not replace or supersede applicable transfer safeguards under GDPR Chapter V; and
where international access or transfers occur, they remain governed by the Standard Contractual Clauses and supplementary safeguards described in this DPA.
Nothing in this Clause 8.7 shall be interpreted as a guarantee of absolute data residency, isolation from global infrastructure, or exclusion of international personnel access unless expressly agreed in writing.
8.9 Disclosures Required by Law
If iClosed receives a legally binding request from a governmental, regulatory, law enforcement, or judicial authority outside the European Economic Area requesting access to Customer Personal Data (“Government Request”), iClosed shall:
(a) Review the legality of the request, including whether the requesting authority has appropriate jurisdiction and authority under applicable law;
(b) Challenge the request where there are reasonable grounds to do so, including where the request is unlawful, disproportionate, or not legally binding, unless prohibited by applicable law;
(c) Notify the Customer without undue delay of the request, including sufficient details to enable the Customer to assess the request and exercise any available legal remedies, unless iClosed is legally prohibited from providing such notice;
(d) Disclose only the minimum amount of Customer Personal Data strictly required to comply with the request, consistent with the principle of data minimization;
(e) Document the request and the response, including the legal basis for disclosure and any safeguards applied; and
(f) Apply appropriate technical and organizational safeguards to protect Customer Personal Data during any compelled disclosure.
Where notice to the Customer is legally prohibited, iClosed shall use commercially reasonable efforts to obtain a waiver or minimize the scope and duration of such prohibition.
Nothing in this Clause shall require iClosed to disclose Customer Personal Data where doing so would violate Applicable Data Protection Laws or the EU Standard Contractual Clauses.
This Clause is intended to comply with Clause 15 of the EU Standard Contractual Clauses and applicable transparency obligations under GDPR Chapter V.
8.10 Prohibition on Mass or Unlawful Transfers
iClosed does not engage in mass, indiscriminate, or unrestricted international transfers of Customer Personal Data.
In particular, iClosed shall not:
(a) transfer entire Customer databases or bulk Customer Personal Data to a third country without an appropriate legal transfer mechanism under Applicable Data Protection Laws;
(b) permit access to Customer Personal Data from outside the European Economic Area (“EEA”) except where such access is strictly necessary, proportionate, and protected by the safeguards described in this Chapter 8;
(c) disclose Customer Personal Data to governmental, regulatory, or law enforcement authorities outside the EEA except where legally required to do so and in accordance with Clause 8.8 (Disclosures Required by Law);
(d) authorize Sub-Processors or personnel to access Customer Personal Data in a manner that exceeds the minimum access required to perform their permitted functions; or
(e) engage in onward transfers of Customer Personal Data that would circumvent or undermine the protections provided by the EU Standard Contractual Clauses, applicable Transfer Impact Assessments, or technical and organizational safeguards.
Customer acknowledges that:
(i) access to Customer Personal Data by iClosed personnel or Sub-Processors located outside the EEA, when permitted under this DPA, is limited, controlled, logged, and safeguarded in accordance with Chapter V GDPR requirements; and
(ii) iClosed is not responsible for international transfers initiated or controlled solely by Customer, including exports, API usage, integrations, or disclosures made by Customer to third parties outside the Service.
Nothing in this Clause shall be interpreted as restricting iClosed from performing lawful, limited international access or transfers that are necessary for service operation, security, compliance, or support, provided that such access or transfers comply with this DPA and Applicable Data Protection Laws.
8.11 Incorporation of Standard Contractual Clauses
By entering into the Master Agreement, executing this DPA, or using the Services, the Parties agree that the applicable EU Standard Contractual Clauses (“SCCs”) are hereby incorporated by reference and form an integral part of this DPA where required under Applicable Data Protection Laws.
The applicable SCCs shall apply as follows:
(a) Module Two (Controller to Processor) shall apply where Customer acts as a Controller and iClosed acts as a Processor in respect of Customer Personal Data; and
(b) Module Three (Processor to Sub-Processor) shall apply where Customer Personal Data is transferred by iClosed to authorized Sub-Processors located outside the European Economic Area.
For the purposes of the SCCs:
the information required under Annex I, Annex II, and Annex III of the SCCs is set out in this DPA, including in Chapters 5 through 8 and the Sub-Processor documentation referenced herein;
the Parties agree that this DPA, together with the incorporated SCCs, satisfies the requirements of GDPR Chapter V; and
In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail to the extent required by Applicable Data Protection Laws.
No additional signatures or separate execution of the SCCs shall be required for them to be legally binding.
DATA SUBJECT RIGHTS & CUSTOMER ASSISTANCE
This Chapter sets out the Parties’ respective obligations regarding the handling of Data Subject rights requests under Applicable Data Protection Laws, including but not limited to GDPR Articles 12–23 and equivalent global privacy laws.
The Parties acknowledge that responsibility for responding to Data Subject requests depends on whether iClosed processes the relevant Personal Data in its capacity as a Data Processor (for Customer Personal Data) or as an Independent Data Controller (for iClosed Controlled Data), as defined in this DPA.
Accordingly:
Customer, as Data Controller, is solely responsible for responding to Data Subject requests relating to Customer Personal Data processed by iClosed on Customer’s behalf; and
iClosed, as Independent Data Controller, is responsible for responding to Data Subject requests relating to iClosed Controlled Data processed for its own operational, security, billing, compliance, or platform purposes.
Nothing in this Chapter shall be interpreted as requiring iClosed to respond directly to Data Subjects in relation to Customer Personal Data, except where required by Applicable Law.
9.1 Processor Obligations for Customer Personal Data
Where iClosed processes Customer Personal Data in its capacity as a Data Processor (as defined in this DPA), iClosed shall comply with the obligations set out in Article 28 of the GDPR and analogous requirements under Applicable Data Protection Laws, and shall:
9.1.1 Process Only on Documented Instructions
Process Customer Personal Data solely on documented instructions from Customer, as reflected in:
this DPA,
the Master Agreement,
Customer’s configurations, settings, and actions within the iClosed platform, and
applicable API or integration usage initiated by Customer.
iClosed shall not process Customer Personal Data for any purpose outside the scope of such documented instructions unless required to do so by Applicable Law, in which case iClosed shall notify Customer of such requirement unless prohibited by law.
9.1.2 Confidentiality
Ensure that all personnel authorized to process Customer Personal Data:
are subject to binding confidentiality obligations (contractual or statutory), and
access such data only to the extent necessary to perform their job functions.
9.1.3 Security Measures
Implement and maintain appropriate technical and organizational measures in accordance with Chapter 6 of this DPA to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
9.1.4 Sub-Processor Controls
Engage Sub-Processors only in accordance with Chapter 7 of this DPA, and remain responsible for ensuring that any authorized Sub-Processor provides data protection safeguards equivalent to those set out in this DPA.
9.1.5 Assistance with Data Subject Rights
Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling Customer’s obligations to respond to requests for the exercise of Data Subject rights under Applicable Data Protection Laws.
iClosed shall not respond directly to such requests unless legally required, and shall instead forward them to Customer without undue delay.
9.1.6 Assistance with Compliance Obligations
Assist Customer, to the extent reasonably required and taking into account the information available to iClosed, with:
security and breach notification obligations;
data protection impact assessments (where applicable); and
consultations with supervisory authorities, where required by law.
9.1.7 Deletion or Return of Data
Upon termination or expiration of the Master Agreement, process Customer Personal Data in accordance with Clause 10.3.3 (Termination & Data Deletion), unless Applicable Law requires continued storage.
9.1.8 Demonstration of Compliance
Make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, subject to confidentiality, security, and audit limitations set out in Clause 10.5.
9.2. Data Subject Rights for iClosed-Controlled Data
Where iClosed processes Personal Data in its capacity as an Independent Data Controller, as described in this DPA, iClosed shall respond directly to Data Subject requests relating to such iClosed-Controlled Data in accordance with Applicable Data Protection Laws.
Such rights may include, where applicable:
the right to access Personal Data processed by iClosed as Controller;
the right to rectification of inaccurate or incomplete Personal Data;
the right to erasure, subject to legal, contractual, or security-related retention obligations;
the right to restriction of processing where required by law;
the right to data portability, where applicable; and
the right to object to processing based on legitimate interests, where permitted by law.
iClosed shall verify the identity of the requesting Data Subject prior to fulfilling any request and may request additional information where reasonably necessary to prevent unauthorized disclosure or deletion.
Certain categories of iClosed-Controlled Data may be exempt from deletion or modification where retention is required for:
compliance with applicable laws or regulatory obligations;
security monitoring, fraud prevention, or abuse detection;
audit, logging, or record-keeping obligations; or
the establishment, exercise, or defense of legal claims.
Where a Data Subject submits a request relating to Customer Personal Data for which iClosed acts solely as a Processor, iClosed shall not respond substantively and shall instead redirect the request in accordance with Clause 9.1.
9.3 Right to Deletion (Right to Be Forgotten)
9.3.1 Customer Personal Data (Processor Role)
Where iClosed processes Customer Personal Data solely in its capacity as a Data Processor, iClosed shall delete such data only upon documented instruction from the Customer, except where retention is required under Applicable Data Protection Laws.
Deletion of Customer Personal Data includes, where applicable:
Lead and contact records
Appointment and scheduling data
CRM fields, notes, deal records, and pipeline data
Customer-uploaded files and assets
Workflow, automation, and messaging metadata
Upon deletion:
Data is placed into a soft-deleted state and rendered inaccessible to the Customer;
Permanent deletion occurs following the applicable retention period (currently up to one hundred eighty (180 days); and
Encrypted backups containing such data are overwritten on a rolling basis (currently up to one hundred eighty (180 days).
iClosed shall not delete Customer Personal Data directly in response to a Data Subject request unless expressly instructed by the Customer or required by Applicable Law.
9.3.2 iClosed-Controlled Data (Controller Role)
Where iClosed acts as an Independent Data Controller, iClosed shall respond directly to deletion requests in accordance with Applicable Data Protection Laws.
Certain categories of iClosed-Controlled Data may be retained where deletion is not required or permitted due to:
Legal or regulatory obligations (e.g., tax, accounting, or audit requirements);
Security, fraud prevention, or abuse detection purposes;
Dispute resolution or enforcement of contractual rights; or
System integrity and operational resilience.
In such cases, data shall be restricted from active processing and retained only to the minimum extent necessary.
9.3.3 Limitations and Clarifications
For the avoidance of doubt:
iClosed cannot verify the identity of Customer leads or end-users and therefore relies on the Customer to validate and instruct deletion requests relating to Customer Personal Data;
iClosed is not required to immediately delete data from backups, logs, or archival systems where such deletion is technically infeasible or disproportionate; and
Aggregated or anonymized data that no longer identifies an individual is not subject to deletion obligations.
Where Customer enables iScore, iClosed does not independently verify the accuracy, completeness, or timeliness of Credit & Financial Enrichment Data obtained from third-party providers and does not act as the source of record for such data. Customer is solely responsible for evaluating, relying upon, and acting on such data. See Addendum A for additional iScore-specific customer responsibilities and restrictions.
All deletion activities under this Clause are subject to the principles of data minimization, proportionality, and storage limitation.
9.4. Data Portability
9.4.1. Customer Personal Data (Processor Role)
Where Customer acts as the Data Controller, iClosed shall support Customer’s obligations relating to the right to data portability under Applicable Data Protection Laws by:
Providing Customer with technical means to export Customer Personal Data directly from the iClosed platform in a commonly used, structured, and machine-readable format (including CSV or equivalent formats); and
Making such export functionality available through standard self-service features within the platform where technically feasible.
iClosed shall not transmit Customer Personal Data directly to third parties or other controllers unless explicitly instructed by Customer and permitted under Applicable Data Protection Laws.
9.4.2. iClosed-Controlled Data (Controller Role)
Where iClosed acts as an Independent Data Controller, Data Subjects may request portability of Personal Data relating to their account, to the extent required by Applicable Data Protection Laws.
Such portable data may include, where applicable:
Basic account identification details;
Subscription and billing-related metadata (excluding payment card details processed by third parties); and
User-provided account configuration information.
iClosed is not required to provide portability of data that:
Is retained solely for security, fraud prevention, audit, or legal compliance purposes;
Is derived, inferred, or aggregated; or
Would adversely affect the rights and freedoms of others.
9.4.3. Technical and Legal Limitations
Data portability obligations under this Clause apply only to Personal Data:
Provided by the Data Subject;
Processed by automated means; and
Processed on the basis of consent or performance of a contract, where required by law.
Nothing in this Clause requires iClosed to maintain data in systems beyond its normal retention periods or to re-engineer its services for the sole purpose of portability.
9.5 Right to Restrict or Object to Processing
9.5.1 Customer Personal Data (Processor Role)
Where iClosed processes Customer Personal Data solely in its capacity as a Data Processor under this DPA, any request by a Data Subject to restrict or object to processing must be assessed and actioned by the Customer as the Data Controller.
Upon receiving documented instructions from Customer, iClosed shall, to the extent technically feasible and legally permissible:
implement restrictions on processing activities;
suspend specified processing operations; or
apply deletion, anonymization, or other controls as instructed,
provided that such instructions are consistent with this DPA, the Master Agreement, and Applicable Data Protection Laws.
iClosed shall not independently restrict or object to processing of Customer Personal Data without Customer instruction, except where required by law.
9.5.2 iClosed-Controlled Data (Controller Role)
Where iClosed acts as an Independent Data Controller, Data Subjects may exercise their rights to object to or restrict processing in accordance with Applicable Data Protection Laws.
Such rights may apply, for example, to:
non-essential platform analytics;
optional telemetry or diagnostics (where applicable);
cookie-based processing subject to consent or opt-out mechanisms.
Where a valid objection or restriction request is received, iClosed shall evaluate the request and, where required by law:
cease or limit the relevant processing activity; or
demonstrate compelling legitimate grounds for continuing processing, where permitted under Article 21 GDPR or equivalent laws.
9.5.3 Exceptions and Limitations
Notwithstanding the foregoing, iClosed may continue processing Personal Data where such processing is necessary for:
compliance with a legal obligation;
security monitoring, fraud prevention, or abuse detection;
establishment, exercise, or defense of legal claims; or
maintaining essential system integrity and availability.
9.5.4 Consent-Based Processing
Where processing is based on consent (including cookie-based processing), Data Subjects may withdraw consent at any time through the mechanisms provided (e.g., consent management tools), and such withdrawal shall not affect the lawfulness of processing prior to withdrawal.
9.6. Identity Verification
Before responding to any Data Subject Request, iClosed shall take reasonable steps to verify the identity of the requesting individual in order to prevent unauthorized access, deletion, or disclosure of Personal Data.
9.6.1 Customer Personal Data (Processor Role)
Where iClosed acts as a Data Processor with respect to Customer Personal Data:
iClosed does not independently verify the identity of Data Subjects whose data is controlled by the Customer;
iClosed shall require that all Data Subject Requests relating to Customer Personal Data be submitted through the Customer, who is responsible for identity verification;
If iClosed receives a request directly from a Data Subject relating to Customer Personal Data, iClosed shall:
promptly forward the request to the relevant Customer without undue delay; and
refrain from acting on the request except as instructed by the Customer or as required by Applicable Data Protection Laws.
9.6.2 iClosed-Controlled Data (Controller Role)
Where iClosed acts as an Independent Data Controller, iClosed may verify the identity of the requesting Data Subject using reasonable and proportionate measures, including:
verification of the email address associated with the account;
confirmation of account ownership or administrative privileges; and
additional verification steps where required due to the sensitivity of the request.
iClosed shall not require excessive information for identity verification and shall not collect new Personal Data solely for verification purposes unless strictly necessary.
9.6.3 Failure to Verify Identity
If iClosed is unable to reasonably verify the identity of a requesting individual, iClosed may:
decline to act on the request; or
request additional information necessary to confirm identity,
in accordance with Applicable Data Protection Laws.
9.6.4 Security Safeguard
Nothing in this Clause obligates iClosed to disclose, modify, or delete Personal Data where doing so would:
compromise the security of Personal Data;
expose Personal Data to unauthorized parties; or
violate applicable legal or regulatory obligations.
9.7 Record-Keeping Obligations
iClosed shall maintain records of processing activities as required under applicable Data Protection Laws, including Article 30 of the GDPR, to the extent such obligations apply to iClosed in its role as a Data Processor and/or Independent Data Controller.
9.7.1 Customer Personal Data (Processor Role) Records
Where iClosed acts as a Data Processor for Customer Personal Data, iClosed shall maintain records that include, at a minimum:
the name and contact details of iClosed and each Customer on whose behalf processing is carried out;
the categories of processing activities performed on behalf of Customers;
categories of Customer Personal Data processed;
categories of recipients (including Sub-Processors, where applicable);
details of international transfers and applicable transfer safeguards (such as SCCs); and
general description of technical and organizational security measures implemented.
Such records shall be maintained in written or electronic form and made available to competent supervisory authorities upon lawful request.
9.7.2 iClosed-Controlled Data (Controller Role) Records
Where, and to the extent that, iClosed acts as an Independent Data Controller for specific processing activities under this DPA, iClosed shall maintain records of processing activities in accordance with Article 30 GDPR and equivalent requirements under Applicable Data Protection Laws, including:
purposes of processing;
categories of Personal Data and Data Subjects;
lawful bases relied upon;
retention periods; and
applicable security and access controls.
These records are maintained solely for iClosed’s compliance obligations and are not Customer-controlled.
9.7.3 Customer Responsibilities
Customer remains solely responsible for maintaining its own records of processing activities relating to Customer Personal Data for which Customer acts as Data Controller, including compliance with GDPR Article 30(1) and equivalent requirements under applicable laws.
Nothing in this Clause obligates iClosed to maintain records on Customer’s behalf beyond the requirements applicable to iClosed under law.
9.7.4 Privacy Notices and Consent Responsibility
The Customer is solely responsible for providing all required privacy notices to Data Subjects and for obtaining, managing, and documenting any consents or other lawful bases required under Applicable Data Protection Laws in connection with the processing of Customer Personal Data.
Nothing in this Agreement authorizes iClosed to provide privacy notices, obtain consent, or act on behalf of the Customer with respect to Customer Personal Data. Any display of iClosed branding, legal notices, or platform-level disclosures does not constitute the provision of privacy notices or consent mechanisms on behalf of the Customer.
9.8 Response Timelines
iClosed shall respond to Data Subject Requests and Customer assistance requests within the timeframes required under applicable Data Protection Laws, taking into account iClosed’s role as either a Data Processor or an Independent Data Controller.
9.8.1 Customer Personal Data (Processor Role)
Where iClosed acts as a Data Processor for Customer Personal Data:
iClosed shall promptly forward any Data Subject Request it receives directly to the relevant Customer, without undue delay.
iClosed shall provide reasonable assistance to Customer in fulfilling such requests, as required under GDPR Article 28(3)(e).
Assistance shall generally be provided within five (5) to seven (7) business days, unless a shorter period is required by law or the request is time-sensitive.
iClosed shall not respond directly to Data Subjects regarding Customer Personal Data, except where legally required to do so.
9.8.2 iClosed-Controlled Data (Controller Role)
Where iClosed acts as an Independent Data Controller, iClosed shall respond directly to Data Subject Requests relating to iClosed-Controlled Data:
Within thirty (30) days of receipt, as required under GDPR Article 12(3);
With the right to extend the response period by up to sixty (60) additional days where the request is complex or numerous, in accordance with applicable law, with notice to the Data Subject.
9.8.3 Breach-Related Notifications
In the event of a Personal Data Breach:
iClosed shall notify Customer without undue delay after becoming aware of the breach where Customer Personal Data is affected;
Where GDPR applies, notification shall occur within seventy-two (72) hours of awareness, unless the breach is unlikely to result in a risk to Data Subjects’ rights and freedoms.
9.8.4 Exceptions and Limitations
Response timelines may be extended or limited where:
The request is manifestly unfounded or excessive;
Identity verification is required and has not yet been completed;
Retention is required for legal obligations, security investigations, fraud prevention, or dispute resolution.
Any such limitation shall be documented and handled in accordance with Applicable Data Protection Laws.
9.9. Customer’s Misuse of Data Subject Rights
Customers shall not misuse or attempt to misuse Data Subject Requests or rights under Applicable Data Protection Laws in a manner that is unlawful, abusive, deceptive, or inconsistent with the purposes of such laws.
In particular, Customer shall not use Data Subject Requests to:
circumvent contractual, billing, or payment obligations;
delete, suppress, or alter records in a manner intended to conceal fraud, unlawful activity, or regulatory non-compliance;
interfere with iClosed’s legal obligations, security investigations, or audit requirements;
request deletion or restriction of data that iClosed is legally required to retain; or
compel iClosed to act outside its role as Processor or Controller under this DPA.
Where iClosed reasonably determines that a request or instruction from Customer constitutes misuse of Data Subject rights or would cause iClosed to violate Applicable Data Protection Laws, iClosed may:
refuse to comply with the request to the extent necessary;
notify Customer of the legal basis for refusal; and
take such steps as required to comply with its own legal obligations.
Nothing in this Clause limits iClosed’s right to cooperate with supervisory authorities or comply with lawful requests from regulatory or governmental bodies.
9.10 Fees for Assistance
iClosed shall provide reasonable assistance to Customer in fulfilling Data Subject Requests and complying with its obligations under Applicable Data Protection Laws at no additional charge, where such assistance can be provided through the standard functionality of the iClosed platform or requires minimal administrative effort.
However, iClosed reserves the right to charge reasonable and proportionate fees for assistance where:
(a) Customer requests assistance that is manifestly unfounded, excessive, or repetitive within the meaning of GDPR Article 12(5) or equivalent provisions under applicable law;
(b) Customer requests manual, custom, or non-standard processing, including backend engineering intervention, bespoke data extraction, or deviation from standard platform workflows;
(c) Customer requests assistance outside the scope of iClosed’s obligations as a Processor under this DPA or Applicable Data Protection Laws; or
(d) Customer requests accelerated response times or additional services beyond those required by law.
Any applicable fees shall be:
communicated to Customer in advance;
limited to the reasonable administrative costs incurred by iClosed; and
subject to Customer’s prior written approval before such fees are incurred.
Nothing in this Clause obligates iClosed to comply with requests that would require iClosed to violate Applicable Data Protection Laws, compromise platform security, or disclose confidential or proprietary information of iClosed or other customers.
LIABILITY, GOVERNING LAW, TERMINATION & FINAL PROVISIONS
This Chapter sets out the Parties’ respective responsibilities, limitations, and legal safeguards relating to liability, governing law, termination, and enforcement of this Data Processing Agreement.
The provisions of this Chapter are intended to:
allocate risk fairly and proportionately between the Parties;
ensure compliance with applicable Data Protection Laws, including GDPR Articles 28 and 82;
clarify the interaction between this DPA and the Master Agreement; and
establish legally enforceable mechanisms for termination, dispute resolution, and amendment.
Except as expressly required by Applicable Data Protection Laws, nothing in this DPA is intended to expand, limit, or modify either Party’s liability beyond what is set forth in the Master Agreement, and this Chapter shall be interpreted consistently with that principle.
In the event of any conflict between this DPA and the Master Agreement with respect to data protection matters, this DPA shall prevail. For all other matters, the Master Agreement shall govern.
10.1 Liability
This Clause allocates responsibility between the Parties in accordance with Article 82 of the GDPR, applicable U.S. state privacy laws, and standard SaaS data-processing practice.
10.1.1 Processor Liability
To the extent iClosed acts as a Data Processor under this DPA, iClosed shall be liable only for damages arising from its failure to comply with obligations that apply specifically to processors under Applicable Data Protection Laws, and only where:
iClosed has not complied with Customer’s lawful and documented instructions; or
iClosed has acted outside or contrary to such instructions; and
The damage was directly caused by iClosed’s breach of this DPA.
iClosed shall not be liable for any damage resulting from:
Customer’s unlawful processing instructions;
Customer’s failure to obtain valid consent or establish a lawful basis;
Customer’s configuration, use, or misuse of the Services; or
Customer-controlled integrations, exports, or downstream processing.
10.1.2 Controller Liability
To the extent iClosed acts as an Independent Data Controller, each Party shall be independently responsible for compliance with its own obligations under Applicable Data Protection Laws.
Nothing in this DPA creates joint controllership or shared liability between the Parties.
10.1.3 Customer Liability
Customer shall be solely liable for:
the lawfulness of Personal Data collected from Data Subjects;
the accuracy of privacy disclosures provided to Data Subjects;
the legality of Customer instructions issued to iClosed;
Customer’s CRM practices, sales operations, and communications; and
Customer-controlled integrations, automations, and data transfers.
Customer shall indemnify and hold harmless iClosed from claims, fines, penalties, or damages arising from Customer’s breach of Applicable Data Protection Laws or this DPA.
10.1.4 Exclusions and Limitations
To the maximum extent permitted by law:
Neither Party shall be liable for indirect, incidental, consequential, special, or punitive damages, including loss of profits, revenue, or goodwill;
iClosed shall not be liable for administrative fines imposed on Customer resulting from Customer’s role as Controller;
iClosed shall not be liable for acts or omissions of Sub-Processors to the extent permitted under Article 82(2) GDPR, except where iClosed failed to meet its Sub-Processor obligations under this DPA.
Any liability caps or limitations set forth in the Master Agreement shall apply to this DPA unless prohibited by Applicable Data Protection Laws.
Nothing in this DPA or the Master Agreement is intended to limit or exclude any rights of Data Subjects to seek compensation or remedies under Article 82 of the GDPR or other Applicable Data Protection Laws.
10.2 Governing Law & Jurisdiction
10.2.1 Data Protection Law & Transfer Mechanisms (EU SCCs / UK Addendum)
(a) EU SCCs. Where the EU Standard Contractual Clauses (“EU SCCs”) apply, the EU SCCs shall be governed by the law of the EU Member State specified in Clause 17 of the EU SCCs, and any dispute arising from the EU SCCs shall be resolved by the courts specified in Clause 18 of the EU SCCs. For clarity, the Parties designate Ireland as the default EU Member State for Clauses 17 and 18 unless a different EU Member State is expressly specified in the SCC Appendix / Order Form. Nothing in this DPA limits data subjects’ rights under the EU SCCs, including the right to bring proceedings in the Member State of their habitual residence as provided in Clause 18(c) of the EU SCCs.
(b) Competent Supervisory Authority (EU SCCs). The competent supervisory authority for purposes of the EU SCCs will be determined in accordance with Clause 13 of the EU SCCs and identified in Annex I.C of the EU SCCs.
(c) UK Transfers. Where the UK International Data Transfer Addendum (or UK IDTA) applies, it shall be interpreted consistently with UK data protection laws and governed as specified in that instrument (including its governing law and jurisdiction provisions). For the ICO Addendum, this is typically England and Wales unless the Parties expressly select Scotland or Northern Ireland.
10.2.2 Commercial & Contractual Matters
For all matters not governed by applicable data protection laws or the EU SCCs/UK transfer mechanism (including commercial terms, contractual interpretation, payment obligations, and limitation of liability), this DPA shall be governed by and construed in accordance with the governing law specified in the Master Agreement (e.g., the laws of the State of Wyoming, USA, excluding conflict-of-law rules).
10.2.3 Jurisdiction
(a) EU SCCs / UK transfer mechanism disputes shall follow the forum/jurisdiction provisions in the applicable transfer mechanism (including Clause 18 of the EU SCCs and, where applicable, the UK Addendum/IDTA).
(b) All other disputes arising out of or relating to this DPA shall follow the jurisdiction provisions set forth in the Master Agreement.
(c) Nothing in this Clause limits the rights of data subjects to lodge complaints with, or seek remedies from, a competent supervisory authority under applicable data protection laws.
10.3 Termination & Data Deletion
10.3.1 Effect of Termination
Upon termination or expiration of the Master Agreement for any reason:
Customer’s access to the iClosed platform and Services shall cease in accordance with the Master Agreement; and
iClosed shall process Customer Personal Data only to the extent necessary to effectuate termination, comply with legal obligations, or complete deletion in accordance with this Clause.
10.3.2 Customer Data Export
Prior to termination, and subject to the Master Agreement:
Customer may export Customer Personal Data using the functionality made available within the iClosed platform; and
iClosed is not obligated to maintain access to the platform after termination solely for export purposes unless otherwise contractually agreed.
10.3.3 Deletion of Customer Personal Data (Processor Role)
Following termination or upon Customer’s documented instruction:
Customer Personal Data shall be placed into a soft-deleted state, rendering it inaccessible to Customer and end users;
Such data shall be permanently deleted from active systems within one hundred eighty (180) days following termination or receipt of a valid deletion request, subject to iClosed’s standard data deletion workflows and applicable legal obligations; and
Customer Personal Data contained in system backups shall be overwritten or deleted within one hundred eighty (180) days following deletion from active systems, in accordance with iClosed’s standard backup retention and rotation practices, and shall remain logically isolated and inaccessible during such periods.
iClosed shall not be required to delete Customer Personal Data to the extent retention is required for:
Compliance with applicable law;
Security investigations, fraud prevention, or abuse detection;
Resolution of billing disputes; or
Establishment, exercise, or defense of legal claims.
10.3.4 Data Retained as Controller
Termination of the Master Agreement does not require deletion of Personal Data processed by iClosed in its capacity as an Independent Controller, including:
Account, billing, and subscription records;
Security, audit, and compliance logs; and
Other operational data retained in accordance with applicable law and iClosed’s Privacy Policy.
Such data shall be retained only for lawful purposes and subject to appropriate retention limits.
10.3.5 Anonymized and Aggregated Data
Nothing in this DPA obligates iClosed to delete or erase:
Aggregated data; or
Anonymized data
that no longer identifies any individual and cannot reasonably be re-identified, provided such data is not derived or used in a manner that identifies Customer or Data Subjects.
10.3.6 Certification of Deletion
Upon written request by Customer, iClosed shall provide reasonable confirmation that deletion of Customer Personal Data has been completed in accordance with this Clause, excluding data retained under lawful exceptions.
10.4 Confidentiality
Each Party shall ensure that any person authorized to process Personal Data under this DPA is subject to a duty of confidentiality, whether arising under contract, statute, or professional obligation.
In particular:
(a) iClosed shall ensure that all personnel who access Customer Personal Data are bound by written confidentiality obligations that are no less protective than those set out in this DPA;
(b) such personnel shall process Customer Personal Data only on documented instructions from Customer or as required to perform their duties in accordance with this DPA;
(c) access to Customer Personal Data shall be limited to those personnel who have a legitimate operational need to know such data for the purposes described in this DPA; and
(d) confidentiality obligations shall survive the termination or expiration of the Master Agreement and this DPA.
Nothing in this Clause shall prevent either Party from disclosing Personal Data where such disclosure is required by applicable law, regulation, or a valid order of a competent authority, provided that (to the extent legally permitted) the disclosing Party gives prompt notice to the other Party and limits the disclosure to what is strictly required.
10.5 Audits & Demonstration of Compliance
10.5.1 Right to Audit
Customers may audit iClosed’s compliance with this DPA to the extent required under Applicable Data Protection Laws, including GDPR Article 28(3)(h). Nothing in this Clause is intended to limit or exclude audit or inspection rights mandated by such laws.
Such audits are limited to verification of iClosed’s obligations when acting as a Data Processor for Customer Personal Data.
iClosed shall make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA, including:
summaries of technical and organizational security measures;
documentation relating to Sub-Processor governance;
descriptions of data protection controls relevant to the Services.
Documentation-First Approach. Before initiating an on-site or technical audit, Customer shall first request compliance documentation under Clause 10.5.3. An on-site or technical audit may proceed only to the extent Customer reasonably demonstrates that the documentation provided is insufficient to satisfy Customer’s audit rights under Applicable Data Protection Laws.
10.5.2 Audit Conditions
Any audit conducted under this Clause must:
be limited in scope to Customer Personal Data processed by iClosed as a Processor;
occur no more than once per twelve (12) months, unless required by a competent supervisory authority or following a confirmed Personal Data Breach attributable to iClosed;
be conducted during normal business hours;
be subject to reasonable advance written notice (at least thirty (30) days);
be remote-first (e.g., document review, interviews, and evidence review), unless an on-site audit is legally required or the Parties agree that on-site access is necessary and proportionate;
not disrupt iClosed’s normal business operations;
comply with iClosed’s reasonable confidentiality, security, and access control requirements; and
be limited to the specific systems, controls, and facilities reasonably necessary to verify compliance with this DPA.
Customer’s audit request must include a proposed audit plan describing (i) scope and objectives, (ii) requested evidence types, (iii) proposed dates and duration, and (iv) the identity of any third-party auditor (if applicable). iClosed may propose reasonable modifications to the audit plan to protect security, confidentiality, and operational continuity. Customers shall bear all costs associated with the audit, including any reasonable costs incurred by iClosed in supporting the audit.
10.5.3 Use of Third-Party Audit Reports
Where available, iClosed may satisfy audit requests by providing:
independent third-party audit reports;
security or compliance summaries;
written certifications or attestations; or
other equivalent documentation reasonably demonstrating compliance.
Customer agrees that the provision of such documentation shall fulfill iClosed’s audit obligations, unless Customer can demonstrate that such materials are insufficient under Applicable Data Protection Laws.
10.5.4 Third-Party Auditors
If Customer elects to conduct an on-site or technical audit using a third-party auditor:
the auditor must be independent, not a competitor of iClosed, bound by written confidentiality obligations at least as protective as this DPA, and reasonably acceptable to iClosed;
the audit scope, evidence requests, and testing methods must be agreed in advance in writing; and
the auditor shall not access iClosed systems, source code, or proprietary information beyond what is strictly necessary to verify compliance.
10.5.5 No Audit of Controller Processing
For the avoidance of doubt:
Customer has no audit rights with respect to processing activities where, and
to the extent that, iClosed independently determines the purposes and essential
means of processing and therefore acts as an Independent Data Controller, such
processing being limited to account administration, billing, security, abuse
prevention, system integrity, and legal compliance.
Such processing is governed by iClosed’s Privacy Policy and Applicable Data
Protection Laws, and not by the audit provisions of this DPA, without prejudice
to iClosed’s obligations toward competent supervisory authorities.
10.5.6 Confidentiality of Audit Findings
All information disclosed in connection with an audit shall be treated as Confidential Information and used solely for the purpose of verifying compliance with this DPA.
Customers shall not disclose audit results to third parties except (i) to Customer’s legal counsel, external auditors, or professional advisors who are bound by confidentiality obligations, (ii) as required by law, or (iii) to a competent supervisory authority.
10.6 Changes to This DPA
(a) Updates. iClosed may amend or update this DPA from time to time only to the extent necessary to:
(i) comply with Applicable Data Protection Laws or regulatory guidance;
(ii) reflect changes to the Services, iClosed’s processing activities, or technical infrastructure;
(iii) incorporate updated Standard Contractual Clauses or equivalent transfer mechanisms;
(iv) update or clarify Security Measures; and/or
(v) improve clarity, consistency, or administrative efficiency without materially reducing the level of data protection afforded to Customer Personal Data.
(b) Notice of Material Changes. If an update materially reduces protections for Customer Personal Data or materially increases Customer obligations under this DPA (a “Material Change”), iClosed will provide at least thirty (30) days’ prior notice via reasonable means (including email to the account administrator, in-product notice, or publication in iClosed documentation).
(c) Objection; Termination Remedy. If Customer reasonably objects to a Material Change on documented data protection grounds, Customer must notify iClosed in writing within thirty (30) days of receiving notice. The Parties will work in good faith to address the objection (including by proposing a reasonable alternative or additional safeguards). If the objection cannot be resolved before the Material Change takes effect, Customer may terminate the affected portion of the Services (or, if necessary, the Services) by providing written notice before the effective date of the Material Change, and such termination will be Customer’s sole and exclusive remedy for that Material Change.
(d) Non-Material Changes. Non-material updates (including clarifications that do not reduce protections) may take effect upon publication or on the date specified in the notice.
(e) Conflicts / SCCs. If changes are required to maintain compliance with the SCCs or Applicable Data Protection Laws, the SCCs (and required updates) will apply to the extent necessary, consistent with Clause 1.4 (Precedence).
10.7 Conflict With Other Agreements
In the event of any conflict or inconsistency between the provisions of this Data Processing Agreement and any other agreement between the Parties, including the Master Agreement, Terms of Service, or any order form:
(a) this Data Processing Agreement shall prevail solely with respect to the processing of Personal Data and data protection obligations under Applicable Data Protection Laws; and
(b) the Master Agreement or Terms of Service shall prevail with respect to all commercial, financial, subscription, limitation of liability, indemnification, and other non-data-protection matters.
Nothing in this DPA shall be interpreted to expand, modify, or override the Parties’ commercial obligations, pricing terms, service scope, or limitation of liability beyond what is expressly set forth in the Master Agreement, except as required to comply with Applicable Data Protection Laws.
10.8 Entire Agreement
This Data Processing Agreement, together with the applicable Master Agreement, constitutes the entire agreement between the Parties with respect to the processing of Personal Data under Applicable Data Protection Laws and supersedes any prior or contemporaneous data protection agreements, addenda, representations, or understandings, whether written or oral, relating to the same subject matter.
In the event of any conflict or inconsistency between this DPA and the Master Agreement with respect to data protection obligations, this DPA shall prevail solely to the extent of such conflict and only with respect to matters concerning the processing of Personal Data.
For the avoidance of doubt:
(a) this DPA does not amend or modify any commercial, pricing, payment, limitation of liability, or service-related terms set forth in the Master Agreement except as expressly stated herein;
(b) the Privacy Policy governs iClosed’s processing of Personal Data where iClosed acts as an Independent Controller; and
(c) the Terms of Service govern Customer’s use of the Services and do not alter the allocation of data protection roles and responsibilities set forth in this DPA.
10.9. Acceptance and Binding Effect
This Data Processing Agreement does not require a physical or electronic signature to be legally binding.
This DPA shall become legally binding upon the earliest of:
(a) Customer’s acceptance of the Master Agreement (including Terms of Service or any equivalent agreement) that incorporates this DPA by reference;
(b) Customer’s execution of an order form, subscription, or service agreement referencing the Services; or
(c) Customer’s access to or use of the Services.
By entering into the Master Agreement or using the Services, the Parties acknowledge and agree that:
this DPA is incorporated by reference into the Master Agreement;
this DPA forms an integral part of the contractual relationship between the Parties with respect to the processing of Personal Data;
this DPA is enforceable against the Parties in accordance with its terms; and
this DPA is binding upon and ensures to the benefit of the Parties and their respective successors and permitted assignments.
Where required by Applicable Data Protection Laws, including for purposes of the EU Standard Contractual Clauses, the Parties agree that this Clause constitutes valid execution of this DPA and any incorporated SCCs without the need for additional signatures.
ADDENDUM – A
iSCORE (CREDIT INTELLIGENCE / DATA ENRICHMENT) FEATURE ADDENDUM
1. Applicability
This Addendum A applies only where Customer enables and uses iClosed’s iScore credit intelligence/data enrichment functionality (“iScore”). If Customer does not enable iScore, this Addendum does not apply.
2. Definitions
2.1 “Credit & Financial Enrichment Data” means Customer Personal Data obtained from third-party enrichment or credit-intelligence providers in connection with iScore, including, as applicable, score values and/or score bands, pre-qualification or eligibility indicators, credit-limit bands, risk/qualification labels, debt-to-income ratios, estimated income (personal and/or household), derived age range (e.g., age band) where provided, address attributes (including historical address indicators), and enrichment-response metadata returned by such providers.
2.2 “Credit Enrichment Event” means a single instance of processing in which iClosed transmits limited Customer Personal Data to an authorized enrichment provider at Customer’s direction and receives Credit & Financial Enrichment Data in response, solely for use within Customer’s account and solely in accordance with Customer’s documented instructions.
2.3 “Enrichment Provider” means a third-party provider engaged solely to perform Credit Enrichment Events when iScore is enabled.
2.4 Sub-Processor Status. Enrichment Providers are Sub-Processors (as defined in the DPA) to the extent they process Customer Personal Data to perform Credit Enrichment Events. iClosed will disclose Enrichment Providers in the Sub-Processor List and Customer’s notice and objection rights for Enrichment Providers are governed by Chapter 7 of the DPA.
2.5 Data Inputs (Credit Enrichment Events). A Credit Enrichment Event may involve transmission of limited identifiers provided by Customer (e.g., name, email, phone number, business name, and/or address details) as necessary to obtain the enrichment response. For the avoidance of doubt, iClosed does not require Customer to provide (and Customer shall not provide) Social Security numbers, government-issued identification numbers, full dates of birth, financial account numbers, or payment card numbers as part of iScore.
3. Scope and Purpose
iClosed processes Credit & Financial Enrichment Data solely: (a) to perform Customer-initiated Credit Enrichment Events; and (b) to display/store the resulting enrichment output within Customer’s account as configured by Customer. iClosed does not determine why, when, or whether a Credit Enrichment Event occurs.
Customer acknowledges that Addendum A contains specific restrictions and responsibilities for using the iScore feature. In particular, Customer shall not use iScore outputs as the sole basis for decisions that have legal or similarly significant effects on Data Subjects (including, for example, credit, housing, employment, or insurance decisions) unless Customer independently ensures full compliance with all applicable laws (such as U.S. consumer credit reporting laws like the Fair Credit Reporting Act, and any laws governing automated decision-making or profiling). Customer further acknowledges that inputs to the iScore feature must not include highly sensitive personal identifiers (for example, Social Security numbers, government-issued ID numbers, full dates of birth, financial account or payment card numbers), as detailed in Addendum A. Customer is solely responsible for providing any required notices, disclosures, consents, or authorizations, and for complying with all applicable legal obligations (including consumer credit, data privacy, and profiling laws) in connection with its use of iScore and any related enrichment data.
4. Roles
Customer is the Controller of Customer Personal Data (including any data sent in a Credit Enrichment Event and any resulting Credit & Financial Enrichment Data). iClosed acts as Processor in performing Credit Enrichment Events and handling resulting enrichment data within the Services.
5. Customer Responsibilities (iScore)
Customer represents and warrants that it will use iScore only in compliance with applicable law and that it has obtained all required notices, disclosures, authorizations, and lawful bases to initiate each Credit Enrichment Event. Customer is solely responsible for its use of enrichment outputs, including any decisions, classifications, routing outcomes, or actions taken using such data.
Without limiting the foregoing, Customer is solely responsible for (i) determining whether its use of iScore outputs constitutes an adverse action, automated decision, profiling activity, or similarly significant effect under applicable law, and (ii) providing any required notices, disclosures, explanations, opt-outs, appeals, and human review mechanisms required under applicable law (including, where applicable, the FCRA and ECOA/Regulation B). Customer is also solely responsible for handling complaints, disputes, or inquiries from Data Subjects relating to decisions or outcomes based on iScore outputs.
6. iClosed Obligations (iScore)
iClosed will:
(a) process Credit & Financial Enrichment Data only on Customer’s documented instructions and only to provide iScore;
(b) contractually restrict each Enrichment Provider to process Customer Personal Data solely to perform the specific Credit Enrichment Event initiated by Customer and prohibit retention, reuse, or disclosure of such data except to the extent necessary to (i) return the requested response, (ii) maintain security and prevent fraud/abuse, or (iii) comply with applicable law;
For the avoidance of doubt, Enrichment Providers are also prohibited from aggregating, selling, or independently analyzing Customer Personal Data provided for a Credit Enrichment Event, and from using such data to build consumer profiles, credit databases, or derivative products.
(c) apply enhanced safeguards appropriate to the sensitivity of enrichment outputs, including (i) restricted access limited to authorized services/personnel with a legitimate operational need, (ii) least-privilege and role-based access controls, (iii) encryption in transit and at rest, (iv) logging and monitoring of Credit Enrichment Events and access to enrichment outputs, and (v) secure deletion/minimization/overwriting consistent with iClosed’s retention controls.
(d) provide Customer with reasonable controls to delete or suppress Credit & Financial Enrichment Data within the Services, subject to backup overwrite cycles and legal retention obligations.
7. Data Subject Requests
Customer is solely responsible for responding to Data Subject requests, inquiries, or complaints relating to Credit & Financial Enrichment Data or Customer’s use of such data. Upon Customer’s request, iClosed will make available relevant event metadata, timestamps, and deletion/suppression controls within the Services to assist Customer.
8. International Transfers
Where an Enrichment Provider or processing location for iScore is outside the EEA/UK/Switzerland and a restricted transfer applies, iClosed will ensure that the transfer is subject to the safeguards described in Chapter 8 of the DPA (including SCCs where applicable) and any supplementary measures required under Applicable Data Protection Laws for the iScore processing.
Geographic Availability. iScore Credit Enrichment Events are currently intended to be performed solely in relation to U.S.-based Data Subjects and U.S.-supported identifiers. Any expansion of iScore to additional jurisdictions or providers will be subject to iClosed’s Sub-Processor notice process and the implementation of applicable international transfer safeguards in accordance with Chapter 8 of the DPA.
9. Termination / Deletion
Upon termination or deactivation of iScore, iClosed will delete or render inaccessible Credit & Financial Enrichment Data within Customer’s account in accordance with the DPA’s deletion provisions, subject to backups and legal retention exceptions.
10. Use Restrictions; Consumer-Credit Laws
Customer shall not use iScore outputs as the sole basis for decisions that produce legal or similarly significant effects on individuals (including credit, housing, employment, or insurance eligibility decisions) unless Customer has independently ensured full compliance with all applicable consumer credit and decisioning laws (including, where applicable, the U.S. Fair Credit Reporting Act (FCRA) and related notice/authorization requirements). iClosed does not provide legal advice and Customer remains solely responsible for determining whether such laws apply to its use case.
Customer shall not resell or redistribute iScore outputs, or use iScore for background checks or consumer-reporting purposes, except as permitted under applicable law and subject to Customer’s full compliance obligations.
Contact Us:
If you have any questions about this data processing agreement, please contact us at:
Email: hello@iclosed.io