This DPA governs the processing of personal data that lemonreach AB ("lemonreach", "we", "us", "Processor") carries out on behalf of a customer ("you", "Customer", "Controller") in the course of providing the Service described in the Terms & Conditions.

It reflects the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applies to the extent that the personal data you process through lemonreach is subject to the GDPR or equivalent data protection law.

Where this DPA conflicts with any other agreement between the parties in relation to the processing of personal data on your behalf, this DPA prevails.

Terms such as "personal data", "processing", "data controller", "data processor", "sub-processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given to them in the GDPR.

• "Customer Personal Data" means personal data that lemonreach processes on your behalf under the Terms & Conditions, including prospect and contact data and any personal data contained in documents you upload.
• "Applicable Data Protection Law" means the GDPR and any other data protection or privacy law applicable to the processing of Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914.

In respect of Customer Personal Data, you act as the data controller and lemonreach acts as the data processor. Where you are yourself a processor acting on behalf of a third party, lemonreach acts as a sub-processor, and references to "Controller" in this DPA apply accordingly.

You are responsible for establishing and maintaining a lawful basis (such as legitimate interest) for the processing of Customer Personal Data, for the accuracy of your processing instructions, and for ensuring that your use of the Service complies with Applicable Data Protection Law. lemonreach is responsible for processing Customer Personal Data only as set out in this DPA and your documented instructions.

lemonreach processes Customer Personal Data only on your documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless required to do otherwise by Union or Member State law to which lemonreach is subject. In that case, lemonreach will inform you of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.

Your documented instructions are set out in the Terms & Conditions, this DPA, your configuration and use of the Service, and any further written instructions you provide. The subject matter, duration, nature, and purpose of the processing, and the types of personal data and categories of data subjects, are described in Annex 1.

lemonreach will inform you if, in its opinion, an instruction infringes Applicable Data Protection Law. lemonreach is not obliged to carry out a legal assessment of your instructions.

lemonreach ensures that persons authorised to process Customer Personal Data are bound by an appropriate obligation of confidentiality, whether contractual or statutory, and that access is limited to those who need it to provide the Service.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects, lemonreach implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. A description of these measures is set out in Annex 3.

lemonreach may update its security measures from time to time, provided that the updates do not materially reduce the overall level of protection.

You provide a general authorisation for lemonreach to engage sub-processors to process Customer Personal Data. The sub-processors engaged at the effective date of this DPA are listed in Annex 2, together with their location and the safeguard relied on for any transfer outside the EEA.

lemonreach imposes on each sub-processor, by written contract, data protection obligations that are substantially the same as those set out in this DPA, in particular sufficient guarantees to implement appropriate technical and organisational measures. lemonreach remains fully liable to you for the performance of each sub-processor's obligations.

Where lemonreach intends to add or replace a sub-processor, it will give you prior notice (for example by email or through the Service). You may object on reasonable data protection grounds within 30 days of the notice. If you object and the parties cannot agree on a resolution, you may terminate the affected part of the Service by written notice, as your sole remedy.

Customer-connected integrations

The Service lets you connect third-party tools that you control, such as your email mailbox (for example Google Workspace or Microsoft 365), your CRM (for example HubSpot or Salesforce), and your telephony provider (for example Aircall). When you connect such an integration, you instruct lemonreach to send Customer Personal Data to, and where relevant receive it from, that tool on your behalf. Those providers act as your own processors or independent controllers under your separate agreement with them, not as sub-processors of lemonreach, and any transfer of data outside the EEA arising from an integration you connect is governed by your relationship with that provider. lemonreach stores the access credentials for these connections in encrypted form and uses them only to provide the connected functionality you enable.

Taking into account the nature of the processing, lemonreach assists you by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (such as access, rectification, erasure, restriction, portability, and objection).

If lemonreach receives a request directly from a data subject relating to Customer Personal Data, it will not respond to the request itself, except on your documented instructions or as required by law, and will promptly inform you of the request.

lemonreach notifies you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent available, describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information.

As data controller, you are responsible for notifying the relevant supervisory authority and, where required, affected data subjects. lemonreach assists you in meeting these obligations, taking into account the nature of the processing and the information available to it.

Taking into account the nature of the processing and the information available to lemonreach, lemonreach provides reasonable assistance to you with any data protection impact assessment and any prior consultation with a supervisory authority that you are required to carry out under Articles 35 and 36 GDPR in relation to the Service.

On termination or expiry of the Service, lemonreach will, at your choice, delete or return all Customer Personal Data, and delete existing copies, unless Union or Member State law requires continued storage.

Unless you request return or deletion sooner, lemonreach will delete Customer Personal Data within 90 days of termination, subject to any data retained in routine encrypted backups, which is deleted in line with our backup cycle and remains protected by this DPA until then.

lemonreach makes available to you all information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by you or an auditor you mandate.

To minimise disruption, you agree that lemonreach may satisfy this obligation by providing relevant documentation, security summaries, and responses to a reasonable security questionnaire. On-site audits will be limited to no more than once per year (unless required following a personal data breach or by a supervisory authority), on reasonable prior written notice, during business hours, and subject to confidentiality.

lemonreach hosts Customer Personal Data within the European Union (AWS Frankfurt region). Where a sub-processor listed in Annex 2 is located outside the EEA, the transfer is protected by an appropriate safeguard under Chapter V of the GDPR:

• where the European Commission has issued an adequacy decision for the destination country (for example the United Kingdom, Canada in respect of recipients subject to PIPEDA, and Israel), the transfer relies on that decision; and
• where no adequacy decision applies (for example transfers to the United States), the transfer is made under the Standard Contractual Clauses, supplemented where relevant by additional safeguards and, where applicable, the EU-US Data Privacy Framework.

Where the SCCs apply to processing under this DPA, they are incorporated by reference and completed using the information in Annexes 1 to 3.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms & Conditions. This DPA does not limit any liability that cannot be limited under Applicable Data Protection Law.

This DPA takes effect when you accept the Terms & Conditions and remains in force for as long as lemonreach processes Customer Personal Data on your behalf. The obligations that by their nature should survive (including those relating to return, deletion, confidentiality, and liability) continue after termination.

This DPA is governed by the laws of Sweden, consistent with the Terms & Conditions, without prejudice to any mandatory provision of Applicable Data Protection Law. Where the Standard Contractual Clauses apply, the governing law and forum provisions of the SCCs prevail to the extent of any conflict.

For any question relating to this DPA or to data processing by lemonreach, please contact us:

Subject matter. The provision of the lemonreach Service, including prospect discovery, contact data enrichment, AI-generated personalised outreach, and campaign management.

Duration. For the term of your subscription and until Customer Personal Data is returned or deleted in accordance with Section 11.

Nature and purpose. Collection, storage, organisation, retrieval, enrichment, and use of Customer Personal Data to generate and manage outreach on your documented instructions, and any other processing necessary to provide the Service.

Types of personal data. Names, business email addresses, business phone numbers, job titles, employer and company names, publicly available professional profile information (for example LinkedIn profile data), and any personal data contained in documents or data you upload.

Categories of data subjects. Your prospects and business contacts, and your own personnel and authorised users of the Service.

The following sub-processors process Customer Personal Data to help provide the Service:

lemonreach also engages service providers in respect of your own account, billing, and support data (for example Stripe and Attio), for which lemonreach acts as data controller. These are described in our Privacy Policy and are not sub-processors of Customer Personal Data under this DPA. Third-party tools that you connect yourself, such as your email mailbox, CRM, or telephony provider, are addressed in Section 7 and are likewise not sub-processors of lemonreach.

lemonreach maintains technical and organisational measures appropriate to the risk, including:

• Encryption: Customer Personal Data is encrypted in transit (TLS/HTTPS) and at rest.
• Hosting: primary infrastructure is hosted within the European Union (AWS Frankfurt region).
• Access control: role-based access on a least-privilege, need-to-know basis, with access reviewed periodically.
• Authentication: user authentication is managed with industry-standard practices through a managed identity provider.
• Network and monitoring: network controls, logging, and monitoring to detect and respond to security events.
• Confidentiality: personnel with access are bound by confidentiality obligations.
• Sub-processor management: due diligence and written data protection terms with sub-processors.
• Resilience and backups: encrypted backups and measures to restore availability after an incident.