Legal · For business customers
Data Processing Agreement
Where ContactsPlus processes personal data on behalf of a business customer, this Data Processing Agreement (“DPA”) sets out the processor obligations required by GDPR Article 28 and equivalent laws.
Effective date: June 26, 2026
This DPA forms part of the Terms of Use or other written agreement (the “Agreement”) between Contacts Plus LLC (“ContactsPlus,” “Processor”) and the customer (“Customer,” “Controller”) and applies to ContactsPlus’s processing of personal data on the Customer’s behalf. Capitalized terms not defined here have the meaning given in the GDPR or the Agreement.
1. Scope and roles
For personal data the Customer submits to the Services, the Customer is the controller and ContactsPlus is the processor. Where the Customer is itself a processor, ContactsPlus is a subprocessor. ContactsPlus also acts as an independent controller for limited data (e.g., account/billing and certain Completed Contact Data) as described in the Privacy Policy; that processing is governed by the Privacy Policy rather than this DPA. Each party will comply with applicable data protection laws, including the GDPR, UK GDPR, and the CCPA/CPRA.
2. Details of processing
- Subject matter: provision of the ContactsPlus contact-management Services.
- Duration: the term of the Agreement, plus any legally required retention.
- Nature & purpose: storing, syncing, deduplicating, enriching, searching, and otherwise managing contact data to deliver the Services.
- Types of data: contact details (names, emails, phone numbers, addresses), professional information, and other fields the Customer chooses to store.
- Data subjects: the Customer’s contacts, team members, and end users.
3. Processing on documented instructions
ContactsPlus will process personal data only on the Customer’s documented instructions — including the Agreement, this DPA, and use of the Services’ features — unless required by law, in which case ContactsPlus will inform the Customer (unless legally prohibited). ContactsPlus will promptly notify the Customer if, in its opinion, an instruction infringes applicable data protection law.
4. Confidentiality
ContactsPlus ensures that personnel authorized to process personal data are bound by confidentiality obligations and are trained on their data protection responsibilities. Access is limited to personnel who need it to deliver and support the Services.
5. Security measures
ContactsPlus implements and maintains appropriate technical and organizational measures to protect personal data, in line with GDPR Article 32 — including encryption in transit (TLS) and at rest (AES-256), role-based access controls, network protection, secure AWS-hosted infrastructure, and regular vulnerability assessment and penetration testing. Further detail is on our Security page.
6. Subprocessors
The Customer provides general authorization for ContactsPlus to engage subprocessors to deliver the Services. ContactsPlus maintains a current list of subprocessors at contactsplus.com/subprocessors, imposes data protection obligations on each subprocessor no less protective than this DPA, and remains liable for its subprocessors’ performance. ContactsPlus will provide a mechanism to notify the Customer of intended changes (additions or replacements), giving the Customer the opportunity to object on reasonable data protection grounds.
7. Data-subject requests
Taking into account the nature of the processing, ContactsPlus will assist the Customer with appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts ContactsPlus directly regarding Customer data, ContactsPlus will refer them to the Customer.
8. Assistance, DPIAs & consultation
ContactsPlus will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities (GDPR Articles 35–36), taking into account the information available to ContactsPlus.
9. Personal data breach notification
ContactsPlus will notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting Customer data, and will provide information reasonably necessary for the Customer to meet its own notification obligations under GDPR Articles 33–34.
10. Return and deletion of data
Upon termination of the Services, ContactsPlus will, at the Customer’s choice, delete or return the personal data and delete existing copies, except where retention is required by law. Residual copies in secure backups are deleted or anonymized in line with our retention schedule (up to 12 months).
11. Audits
ContactsPlus will make available information reasonably necessary to demonstrate compliance with Article 28 and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates — subject to reasonable confidentiality, scope, frequency, and notice. Where available, third-party reports and certifications may be provided to satisfy audit requests.
12. International transfers
Where ContactsPlus transfers personal data outside the EEA, UK, or Switzerland, it will rely on a valid transfer mechanism under GDPR Article 46 — the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference.
13. General
In the event of a conflict between this DPA and the Agreement on data protection matters, this DPA controls. The parties’ aggregate liability arising out of this DPA is subject to the limitations of liability in the Agreement, except where applicable law does not permit such limitation. To request an executed copy of this DPA, contact dpo@contactsplus.com.






