Data Processing Agreement

Effective date: July 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between the customer ("Customer," "Controller," "you") and the applicable InnovareAI contracting entity ("InnovareAI," "Processor," "we," "us") governing Customer's use of the SAM platform and related services (the "Services").

If Customer is established in the European Economic Area, United Kingdom, or Switzerland, the contracting entity is Innovare GmbH, Taunusanlage 8, 60329 Frankfurt, Germany, unless otherwise stated in the applicable order form or agreement. For other customers, the contracting entity is Innovare, Inc., 1250 Borregas Ave, Sunnyvale, CA 94089, USA, unless otherwise stated in the applicable order form or agreement.

For billing and payment administration, Innovare, Inc. may act as the merchant of record and may charge Customer's selected payment method, including where Customer contracts for the Services with Innovare GmbH. This billing arrangement does not change the contracting entity for the Services, the allocation of roles under this DPA, or Innovare GmbH's responsibilities to Customer where Innovare GmbH is the applicable contracting entity.

This DPA sets out the terms on which InnovareAI processes Customer Personal Data on Customer's behalf and is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR").

Definitions

Terms such as "controller," "processor," "sub-processor," "personal data," "processing," "data subject," and "personal data breach" have the meanings given in the GDPR.

"Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and any national data protection law applicable to the processing of Customer Personal Data under this DPA.

"Customer Personal Data" means personal data that Customer submits to the Services or otherwise makes available to InnovareAI for processing on Customer's behalf.

"SCCs" means the standard contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of June 4, 2021, as amended or replaced from time to time.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office, as amended or replaced from time to time.

Roles and scope of processing

Customer is the Controller of Customer Personal Data. If Customer processes personal data on behalf of a third-party controller, Customer acts as a processor and InnovareAI acts as Customer's sub-processor.

InnovareAI processes Customer Personal Data as Processor only on Customer's documented instructions, including as set out in the Agreement, this DPA, Customer's configuration of the Services, and Customer's use of the Services.

Customer instructs InnovareAI to process Customer Personal Data as necessary to provide, secure, maintain, support, and improve the Services. For clarity, "improve" in this context means improving service reliability, security, functionality, debugging, and operational performance. Customer Personal Data processed on Customer's behalf is not used to train external or general-purpose AI models.

InnovareAI will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, unless prohibited from doing so by law.

The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data are described in Annex 1.

Customer obligations

Customer is responsible for ensuring that it has a valid legal basis for collecting, using, and submitting Customer Personal Data to the Services.

Customer is responsible for providing any notices, obtaining any consents where required, honoring applicable opt-out, objection, and suppression rights, and ensuring that its use of the Services complies with Applicable Data Protection Law.

Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for ensuring that its instructions to InnovareAI are lawful.

Customer must not submit special categories of personal data, personal data relating to criminal convictions or offenses, children's data, health data, financial account data, government identification numbers, or other highly sensitive personal data to the Services unless expressly agreed in writing by InnovareAI.

Processor obligations

InnovareAI will:

  • process Customer Personal Data only on Customer's documented instructions, unless required otherwise by law, in which case InnovareAI will inform Customer before processing unless legally prohibited from doing so;
  • ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations;
  • implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, including the measures described in Annex 2;
  • assist Customer, taking into account the nature of the processing, in responding to data subject requests under Applicable Data Protection Law;
  • assist Customer, taking into account the nature of the processing and information available to InnovareAI, with Customer's obligations relating to security, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
  • make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR;
  • not sell Customer Personal Data;
  • not use Customer Personal Data to train external or general-purpose AI models; and
  • not disclose Customer Personal Data to third parties except as permitted by this DPA, the Agreement, Customer's instructions, or Applicable Data Protection Law.

Data subject requests

InnovareAI will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising rights under Applicable Data Protection Law.

If InnovareAI receives a request directly from a data subject relating to Customer Personal Data, InnovareAI will, where legally permitted, either direct the data subject to Customer or notify Customer. InnovareAI will not respond substantively to such request unless instructed by Customer or required by law.

Personal data breach

InnovareAI will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and, where feasible, within 48 hours after becoming aware of the breach.

InnovareAI will provide information reasonably necessary for Customer to meet its notification obligations under Applicable Data Protection Law, including, where available, the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.

InnovareAI's notification of or response to a personal data breach is not an acknowledgment of fault or liability.

Sub-processors

Customer provides general authorization for InnovareAI to engage sub-processors to process Customer Personal Data in connection with the Services.

The sub-processors authorized as of the effective date of this DPA are listed in Annex 3 and on our Sub-processors page. InnovareAI will impose written data protection obligations on each sub-processor that are no less protective in substance than those in this DPA, to the extent applicable to the sub-processor's processing activities.

InnovareAI remains liable for the performance of its sub-processors' data protection obligations.

InnovareAI will give Customer at least 30 days' prior notice before adding or replacing a sub-processor that processes Customer Personal Data. Notice may be provided by email, in-product notification, update to a public sub-processor page, or other reasonable means.

Customer may object to a new or replacement sub-processor on reasonable data protection grounds within the notice period. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Customer may suspend or terminate the affected Services in accordance with the Agreement.

Data location and international transfers

Customer Personal Data is stored at rest in a self-hosted database located in the European Union, currently Germany. Billing and payment data may be processed by Innovare, Inc. as merchant of record and by Stripe as payment service provider, as described in InnovareAI's Privacy Policy and, where applicable, billing terms. Billing and payment processing does not change the contracting entity for the Services or the roles described in this DPA.

Message generation may be performed using an EU-based large language model provider, currently Mistral AI SAS in France. Under this configuration, Customer Personal Data used for message generation is processed within the European Union.

Customer may choose to use an alternative model provider located in the United States, currently Anthropic PBC. Where Customer selects this option, Customer instructs InnovareAI to transfer Customer Personal Data as necessary for the selected model provider to perform the Services.

Where Customer Personal Data is transferred outside the EEA, United Kingdom, or Switzerland to a country that is not subject to an adequacy decision, the parties will use an appropriate transfer mechanism under Applicable Data Protection Law, including the SCCs, the UK Addendum, and/or the Swiss adaptations to the SCCs, as applicable.

For transfers from Customer as controller to InnovareAI as processor, Module Two of the SCCs applies. For transfers from Customer as processor to InnovareAI as sub-processor, Module Three of the SCCs applies. For onward transfers by InnovareAI to sub-processors, InnovareAI will ensure that appropriate onward transfer safeguards are in place.

The details in Annexes 1, 2, and 3 of this DPA are deemed to complete the relevant annexes of the SCCs, where applicable.

Deletion and return of data

Upon termination or expiry of the Services, InnovareAI will, at Customer's choice, delete or return Customer Personal Data and delete existing copies within 30 days, unless retention is required by law.

If Customer does not make a choice within a reasonable time after termination, InnovareAI may delete Customer Personal Data in accordance with its standard deletion procedures.

Backup copies will be deleted in accordance with InnovareAI's ordinary backup retention cycle, provided that backup copies remain protected in accordance with this DPA and are not restored to production systems except where necessary for business continuity, security, or legal compliance.

Audits and compliance information

InnovareAI will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

Customer may audit InnovareAI's compliance with this DPA no more than once per calendar year, unless required by a supervisory authority or following a confirmed personal data breach affecting Customer Personal Data.

Audits must be conducted on reasonable prior written notice, during normal business hours, subject to confidentiality obligations, and in a manner that does not unreasonably interfere with InnovareAI's business operations or compromise the security or confidentiality of other customers' data.

InnovareAI may satisfy audit requests by providing relevant third-party certifications, audit reports, security summaries, questionnaire responses, or other documentation reasonably sufficient to demonstrate compliance. On-site inspections are permitted only where such documentation is insufficient and where legally required or reasonably necessary.

Liability and governing law

The liability provisions and governing law of the Agreement apply to this DPA, except where prohibited by Applicable Data Protection Law.

For customers established in the European Economic Area, United Kingdom, or Switzerland, mandatory provisions of Applicable Data Protection Law apply where they provide greater protection than the Agreement.

Order of precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data.

If the SCCs apply and there is a conflict between the SCCs and this DPA or the Agreement, the SCCs control to the extent of the conflict.

Contact

Innovare, Inc.
1250 Borregas Ave
Sunnyvale, CA 94089
United States

Innovare GmbH
Taunusanlage 8
60329 Frankfurt
Germany

Data protection contact: dpo (at) innovareai (dot) com

Annex 1: Details of processing

Subject matter

InnovareAI's provision of the SAM platform and related services to run go-to-market outreach, engagement, and nurture workflows on Customer's behalf.

Duration

The term of the Agreement, plus any period required for deletion, return, backup retention, legal compliance, or dispute resolution.

Nature and purpose of processing

The Services process Customer Personal Data for prospecting, enrichment, personalized outreach, email and LinkedIn engagement, reply handling, lead management, scheduling, workflow automation, analytics, security, support, debugging, and service administration, in each case as configured or instructed by Customer.

Categories of data subjects

  • Customer's prospects, leads, business contacts, and their representatives;
  • Customer's users and authorized personnel;
  • individuals who communicate with Customer through outreach or engagement workflows.

Categories of personal data

  • names;
  • business email addresses;
  • phone numbers;
  • job titles;
  • employer and company information;
  • LinkedIn profile and company data;
  • professional background and publicly available business information;
  • message, reply, and conversation content;
  • meeting and scheduling information;
  • usage, log, and account administration data related to Customer's authorized users.

Sensitive data

Customer must not submit special categories of personal data or other highly sensitive personal data to the Services unless expressly agreed in writing by InnovareAI.

Annex 2: Technical and organizational measures

InnovareAI implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data, including the following:

Encryption and network security

  • encryption of personal data in transit using TLS;
  • encryption of personal data at rest using industry-standard encryption, including AES-256 or equivalent controls where supported;
  • secure configuration of production infrastructure;
  • network access controls and restricted administrative access.

Hosting and data isolation

  • Customer Personal Data stored in a self-hosted database located in the European Union, currently Germany;
  • logical separation of customer workspaces;
  • row-level isolation and access controls designed to separate customer data;
  • controls designed to prevent unauthorized cross-tenant access.

Access control

  • role-based access controls;
  • least-privilege administration;
  • multi-factor authentication for administrative access where supported;
  • access limited to personnel with a business need to access relevant systems;
  • periodic review of privileged access.

Logging and monitoring

  • audit logging of administrative and security-relevant events;
  • monitoring designed to detect unauthorized access or anomalous activity;
  • retention of relevant logs for security, debugging, and compliance purposes.

Operational security

  • confidentiality obligations for personnel authorized to process Customer Personal Data;
  • security awareness and privacy guidance for relevant personnel;
  • vulnerability management and security patching procedures;
  • incident response procedures for suspected or confirmed security incidents;
  • vendor and sub-processor review appropriate to the nature of the processing.

Backups and resilience

  • backup and recovery procedures designed to support availability and business continuity;
  • protection of backups using access controls and encryption where supported;
  • deletion of backup copies in accordance with ordinary backup retention cycles.

Product safeguards

  • human-in-the-loop approval controls so that outreach is not sent without Customer approval, where enabled or required by the Services;
  • suppression, opt-out, and configuration controls where supported by the Services;
  • controls designed to prevent Customer Personal Data from being used to train external or general-purpose AI models.

Annex 3: Authorized sub-processors

The following sub-processors may process Customer Personal Data on Customer's behalf in connection with the Services:

Sub-processorAddress / locationPurposeProcessing location
Hetzner Online GmbHIndustriestr. 25, 91710 Gunzenhausen, GermanyCloud infrastructure and hosting of the self-hosted databaseGermany / EU
Unipile SAS168 Rue de la Rotonde, 42153 Riorges, FranceLinkedIn, email, and messaging connection and delivery infrastructureFrance / EU
Apify Technologies s.r.o.Vodickova 704/36, 11000 Prague 1, Czech RepublicData enrichment, collection, automation, and verificationCzech Republic / EU
Mistral AI SASParis, FranceEU-based large language model provider for message generationFrance / EU
Anthropic PBCSan Francisco, California, United StatesAlternative large language model provider, engaged only where Customer selects this optionUnited States

Sub-processors used for InnovareAI's own website, billing, analytics, and corporate operations are described in InnovareAI's Privacy Policy unless they process Customer Personal Data on Customer's behalf in connection with the Services.

Annex 4: International transfer terms

Where the SCCs apply, the following terms apply:

Applicable modules

  • Module Two applies where Customer is a controller and InnovareAI is a processor.
  • Module Three applies where Customer is a processor and InnovareAI is a sub-processor.

Docking clause

The optional docking clause in Clause 7 of the SCCs applies.

Sub-processor authorization

For Clause 9 of the SCCs, Customer grants general written authorization for the engagement of sub-processors, subject to the notice and objection procedure described in this DPA.

Supervisory authority

For Clause 13 of the SCCs, the competent supervisory authority is the supervisory authority of the EU member state where Customer is established. Where Customer is not established in the EU but Article 3(2) GDPR applies, the competent supervisory authority is determined in accordance with the GDPR.

Governing law and jurisdiction

For Clauses 17 and 18 of the SCCs, the governing law and courts are those of the EU member state where Customer is established, provided that such law allows for third-party beneficiary rights. If Customer is not established in an EU member state, the governing law and courts are Germany.

Swiss transfers

For transfers subject to the Swiss Federal Act on Data Protection, references in the SCCs to the GDPR will be understood as references to the Swiss Federal Act on Data Protection, references to the EU or member states will include Switzerland, and the Swiss Federal Data Protection and Information Commissioner will be the competent supervisory authority where applicable.

UK transfers

For transfers subject to the UK GDPR, the UK Addendum applies and is incorporated into this DPA. The information in this DPA is deemed to complete the relevant tables of the UK Addendum where applicable.

Transfer impact and supplementary measures

InnovareAI will implement appropriate supplementary measures where required by Applicable Data Protection Law, taking into account the nature of the transferred data, the destination country, the recipient, and the technical and organizational measures described in Annex 2.