Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Client (the "Controller") and GetLostLeads (the "Processor"). It reflects the parties' commitment to GDPR, CCPA, and DPDP compliance.
1. Scope and Details of Processing
The Processor will process personal data (specifically lead details like names, email addresses, and phone numbers captured through whitelisted form fields) on behalf of the Controller. Processing is restricted to form field interactions, session identification, and friction analysis.
2. Technical and Organizational Measures
Processor implements the following core security controls:
- Automatic IP Masking: Incoming IP addresses are immediately truncated at the application gateway, ensuring zero retention of raw IP values.
- Pre-Consent Safety Gating: The SDK remains dormant or runs in an anonymous-only fallback mode (zero PII storage) until the end-user provides explicit consent.
- PII Field Whitelisting: High-risk inputs (passwords, credit cards, CVV, hidden fields) are structurally blocked and never recorded by the SDK.
- Data Minimization: Incomplete submissions are automatically deleted after a 30-day retention period.
3. Data Subject Rights (DSR)
Processor shall provide reasonable assistance to the Controller to fulfill requests by data subjects exercising their rights (access, correction, or deletion) under global privacy laws. Deletion requests can be sent via our compliance endpoints or active session API calls.
4. Subprocessors
Processor will not engage any third-party subprocessor without prior notification to the Controller. All subprocessors are bound by data protection obligations equivalent to those set out in this DPA.