Data Processing Agreement

Dealtact (operated by Cyzag Ltd) · Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cyzag Ltd trading as Dealtact ("Processor", "we", "us") and the Customer ("Controller", "you") who subscribes to the Dealtact service.

This DPA sets out the terms under which we process personal data on your behalf when you use our Service.

1. Definitions

  • "Data Protection Laws" means the UK GDPR, EU GDPR, Data Protection Act 2018, and any other applicable data protection legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Customer Data" means Personal Data that you upload, input, or create within the Service.

2. Roles and Responsibilities

2.1 Controller and Processor

  • You are the Controller of Customer Data. You determine the purposes and means of processing.
  • We are the Processor of Customer Data. We process data only on your documented instructions.

2.2 Your Responsibilities

You are responsible for:

  • Ensuring you have a lawful basis to collect and process Personal Data
  • Providing appropriate privacy notices to Data Subjects
  • Obtaining any necessary consents
  • Ensuring the accuracy of Personal Data
  • Responding to Data Subject requests (with our assistance)
  • Complying with all applicable Data Protection Laws

2.3 Our Responsibilities

We are responsible for:

  • Processing Personal Data only on your documented instructions
  • Ensuring personnel are bound by confidentiality obligations
  • Implementing appropriate security measures
  • Assisting you with Data Subject requests
  • Notifying you of data breaches
  • Deleting or returning data upon termination

3. Scope of Processing

3.1 Subject Matter

We process Personal Data to provide you with the Dealtact CRM service as described in our Terms of Service.

3.2 Duration

Processing continues for the duration of your subscription plus 30 days for data deletion.

3.3 Nature and Purpose

Purpose Description
Service delivery Storing and displaying your Customer Data
AI features Processing data to provide coaching and recommendations
Email integration Sending emails on your behalf
Analytics Generating reports and insights about your data
Support Accessing data to resolve support requests

3.4 Categories of Data Subjects

  • Your customers and prospects
  • Contacts at customer organisations
  • Other individuals whose data you input

3.5 Categories of Personal Data

  • Names and contact details
  • Job titles and company information
  • Communication history
  • Notes and activity records
  • Any other data you choose to input

3.6 Special Categories of Data

The Service is not designed to process special category data (e.g., health data, religious beliefs, ethnic origin). You must not upload such data unless you have appropriate safeguards in place.

4. Instructions

4.1 Documented Instructions

We process Personal Data only on your documented instructions, which include:

  • This DPA
  • Our Terms of Service
  • Your use of Service features
  • Written instructions provided via email

4.2 Additional Instructions

If you require processing beyond our standard Service, we will inform you of any additional costs or limitations.

4.3 Unlawful Instructions

If we believe an instruction violates Data Protection Laws, we will notify you and may decline to carry out the instruction.

5. Security Measures

5.1 Technical Measures

We implement the following technical measures:

Measure Description
Encryption in transit TLS 1.2 or higher for all connections
Encryption at rest AES-256 encryption for stored data
Access controls Role-based access, multi-factor authentication
Network security Firewalls, intrusion detection
Vulnerability management Regular security scanning and patching
Backup and recovery Daily backups, tested recovery procedures

5.2 Organisational Measures

Measure Description
Personnel security Background checks, confidentiality agreements
Training Regular data protection training
Access management Least privilege principle, access reviews
Incident response Documented breach response procedures
Vendor management Due diligence on sub-processors

5.3 Security Assessment

Upon request, we will provide:

  • A summary of our security measures
  • Penetration test summaries (under NDA)
  • Relevant certifications or attestations

6. Sub-processors

6.1 Authorised Sub-processors

You authorise us to engage the sub-processors listed at dealtact.ai/legal/sub-processors to process Personal Data.

Current sub-processors:

Sub-processor Purpose Location DPA in Place
Microsoft (Azure) Cloud hosting, database UK/EU Yes
Anthropic AI processing USA Yes
Microsoft (Azure OpenAI) Text embeddings for semantic search USA/EU Yes
Stripe Payment processing USA Yes
SendGrid (Twilio) Email delivery USA Yes
Google Authentication (OAuth) USA Yes

6.2 Sub-processor Obligations

We ensure that each sub-processor:

  • Is bound by data protection obligations equivalent to this DPA
  • Implements appropriate security measures
  • Processes data only as necessary to provide their service

6.3 Changes to Sub-processors

We will notify you at least 14 days before engaging a new sub-processor by:

  • Updating our sub-processor list
  • Sending email notification (if you've opted in)

You may object to a new sub-processor within 14 days. If we cannot address your objection, you may terminate your subscription.

7. International Transfers

7.1 Transfer Mechanisms

For transfers outside the UK/EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA)
  • Supplementary measures where required

7.2 Transfer Impact Assessments

We have conducted transfer impact assessments for our US-based sub-processors and determined that, with the safeguards in place, your data is adequately protected.

7.3 Documentation

Upon request, we will provide copies of relevant SCCs and transfer mechanisms.

8. Data Subject Rights

8.1 Assistance

We will assist you in responding to Data Subject requests, including:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Portability requests
  • Objection requests
  • Restriction requests

8.2 Self-Service

Many requests can be fulfilled through Service features:

Request Type How to Fulfil
Access Export contact/company data
Rectification Edit records directly
Erasure Delete contact records
Portability Export data in JSON/CSV format

8.3 Direct Requests

If a Data Subject contacts us directly, we will:

  • Notify you within 5 business days
  • Not respond directly unless legally required
  • Refer the Data Subject to you

8.4 Costs

Reasonable assistance is included in your subscription. Extensive or repeated requests may incur additional charges.

9. Data Breach Notification

9.1 Notification to You

If we become aware of a Personal Data breach affecting your Customer Data, we will:

  • Notify you without undue delay (within 48 hours)
  • Provide available details about the breach
  • Cooperate with your investigation
  • Take steps to mitigate the breach

9.2 Breach Notification Contents

Our notification will include (to the extent known):

  • Nature of the breach
  • Categories and approximate number of affected Data Subjects
  • Categories and approximate volume of affected records
  • Likely consequences
  • Measures taken or proposed to address the breach

9.3 Your Obligations

You are responsible for:

  • Notifying relevant supervisory authorities (if required)
  • Notifying affected Data Subjects (if required)
  • Maintaining records of breaches

10. Audit Rights

10.1 Information

Upon request, we will provide information necessary to demonstrate compliance with this DPA.

10.2 Audits

You may conduct an audit of our data processing activities:

  • With 30 days' written notice
  • During normal business hours
  • At your expense
  • Subject to confidentiality obligations
  • No more than once per year (unless a breach has occurred)

10.3 Third-Party Audits

You may appoint a qualified third-party auditor, subject to our approval (not unreasonably withheld) and a confidentiality agreement.

10.4 Alternatives

Instead of an on-site audit, we may provide:

  • Relevant certifications (e.g., ISO 27001)
  • Third-party audit reports
  • Completed security questionnaires

11. Data Retention and Deletion

11.1 During Subscription

We retain Customer Data for the duration of your subscription plus 30 days.

11.2 Upon Termination

Upon termination of your subscription:

  • You may export your data for 30 days
  • After 30 days, we will delete your Customer Data
  • We will confirm deletion upon request

11.3 Exceptions

We may retain data if:

  • Required by applicable law
  • Needed to resolve disputes
  • Required for legitimate business purposes (anonymised only)

12. Liability

12.1 Processor Liability

We are liable for damage caused by processing that does not comply with Data Protection Laws or this DPA.

12.2 Controller Liability

You are liable for damage caused by processing that does not comply with your obligations under Data Protection Laws.

12.3 Limitation

Liability under this DPA is subject to the limitations set out in our Terms of Service.

13. Term and Termination

13.1 Term

This DPA is effective from the date you accept our Terms of Service and continues until your subscription ends.

13.2 Survival

Provisions relating to confidentiality, data deletion, and liability survive termination.

14. General

14.1 Governing Law

This DPA is governed by the laws of England and Wales.

14.2 Conflicts

If there is a conflict between this DPA and our Terms of Service, this DPA prevails for data protection matters.

14.3 Amendments

We may update this DPA to reflect changes in Data Protection Laws. We will notify you of material changes.

15. Contact

For data protection inquiries:

Data Protection Contact: privacy@dealtact.ai

Address: Cyzag Ltd Devonshire House, 582 Honeypot Lane, Stanmore, Middlesex, HA7 1JS United Kingdom

Annex A: Technical and Organisational Measures

A.1 Measures of Pseudonymisation and Encryption

  • All data encrypted at rest using AES-256
  • All data encrypted in transit using TLS 1.2+
  • Database-level encryption enabled
  • Backup encryption enabled

A.2 Measures for Ensuring Confidentiality

  • Role-based access controls
  • Multi-factor authentication
  • Regular access reviews
  • Confidentiality agreements with all personnel

A.3 Measures for Ensuring Integrity

  • Audit logging of all data modifications
  • Version control for system changes
  • Input validation
  • Database constraints

A.4 Measures for Ensuring Availability

  • Daily automated backups
  • Geo-redundant storage
  • Disaster recovery procedures
  • 99.9% uptime target

A.5 Measures for Ensuring Resilience

  • Load balancing
  • Auto-scaling infrastructure
  • Regular failover testing
  • Incident response procedures

A.6 Measures for Restoring Availability and Access

  • Recovery Point Objective (RPO): 24 hours
  • Recovery Time Objective (RTO): 4 hours
  • Documented restoration procedures
  • Regular recovery testing

A.7 Processes for Regularly Testing Security

  • Automated vulnerability scanning
  • Annual penetration testing
  • Security code reviews
  • Incident response drills

A.8 Measures for User Identification and Authorisation

  • Strong password requirements
  • Multi-factor authentication
  • Session timeout policies
  • Account lockout after failed attempts

A.9 Measures for Protection During Transmission

  • TLS 1.2+ for all connections
  • HTTPS enforced
  • Secure API authentication
  • Certificate management

A.10 Measures for Protection During Storage

  • AES-256 encryption at rest
  • Secure key management
  • Physical security of data centres (Azure)
  • Secure deletion procedures

A.11 Measures for Physical Security

  • Azure data centres with SOC 2 certification
  • No on-premise data storage
  • Secure development environments

A.12 Measures for Event Logging

  • Comprehensive audit logging
  • Log retention for 12 months
  • Tamper-evident log storage
  • Log monitoring and alerting

A.13 Measures for System Configuration

  • Hardened system configurations
  • Regular patching schedule
  • Configuration management
  • Change control procedures

A.14 Measures for Internal IT Governance

  • Information security policies
  • Regular policy reviews
  • Security awareness training
  • Incident response procedures

A.15 Measures for Ensuring Data Quality

  • Input validation
  • Data integrity checks
  • User ability to edit/correct data
  • Export functionality for verification