Data Processing Agreement
Personal Data processing terms between LeadsApp and Controller. Plain-language summary; written under GDPR / CCPA framing.
1. Definitions
"Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in applicable data protection laws, including the GDPR. "DPA" means this Data Processing Agreement.
2. Scope of processing
This DPA forms part of the Terms of Service between XAscend LLC ("Processor") and you ("Controller") for the use of LeadsApp. The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country.
3. Security measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk: TLS 1.3 in transit, encrypted storage at rest, role-based access controls, audit logging, and rate-limited APIs. See our Security page (/security) for the current control inventory and roadmap.
4. Sub-processors
The Processor uses the following sub-processors: Hetzner Online (hosting + storage, DE/US regions), Stripe (payment processing, US), Cloudflare (DNS, US), PostHog (product analytics, US), Google (GTM + Analytics, US). The Processor will notify the Controller of any intended changes to this list 30 days before the change takes effect.
5. Data subject rights
The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction) within 30 days. Requests can be submitted to dpa@leadsapp.com with proof of identity.
6. Data breach notification
The Processor will notify the Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach. The notification will include the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
7. International transfers
LeadsApp currently blocks EU IPs and EU-resident contacts entirely at the edge (no EU Personal Data is collected). If we expand to EU coverage in the future, transfers will be performed under the EU Standard Contractual Clauses (SCCs) with supplementary measures as appropriate.
8. Deletion and return
At the choice of the Controller, the Processor will delete or return all Personal Data upon termination of the Service and delete existing copies unless required by law to retain them. Stripe billing records are retained for 7 years per US tax law.
9. Audit rights
The Controller may, at its own expense and with 30 days' notice, request an audit of the Processor's compliance with this DPA. Audits will be limited to once per year except in case of a Data Subject complaint or Supervisory Authority order.
Last updated: 2026-05-23. For DPA inquiries, email dpa@leadsapp.com. XAscend LLC, 30 N Gould St Ste R, Sheridan, WY 82801.