Definitions
In this DPA, the key terms carry the meanings given by applicable data protection law and, where not defined here, the meanings in the agreement between FUNEL and the customer. Capitalised terms not defined below have the meaning set out in that agreement.
- "Applicable Data Protection Law" means all laws and regulations governing the processing of personal data that apply to a party, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
- "Controller" means the entity that determines the purposes and means of processing personal data. Under this DPA, the customer is the controller (or, where the customer is itself a processor, acts as the controller's representative).
- "Processor" means the entity that processes personal data on behalf of the controller. Under this DPA, FUNEL is the processor.
- "Personal Data" means any information relating to an identified or identifiable natural person that FUNEL processes on the customer's behalf under the agreement.
- "Processing" means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
- "Data Subject" means the natural person to whom the personal data relates.
- "Sub-processor" means any third party engaged by FUNEL to process personal data on the customer's behalf in connection with the services.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the relevant authority for the transfer of personal data to countries that do not provide an adequate level of protection.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed on the customer's behalf.
Roles of the parties (controller and processor)
For personal data that FUNEL processes on the customer's behalf to provide the services, the customer is the controller and FUNEL is the processor. The customer determines the purposes and means of that processing, and FUNEL processes it only on the customer's documented instructions as set out in this DPA and the agreement.
This DPA does not cover processing where FUNEL acts as a controller in its own right. FUNEL is an independent controller of the business contact records it sources from publicly available professional and business information and enriches, of account and billing data, and of service operation and security data. That controller processing — including its lawful basis, the right to object, and how to opt out — is described in FUNEL's Privacy Policy and is not governed by this DPA.
Where the customer is itself a processor acting for another controller, the customer warrants that it has the necessary authority and instructions to engage FUNEL as a sub-processor and to bind the ultimate controller to terms no less protective than those in this DPA.
Scope and duration
This DPA applies for as long as FUNEL processes personal data on the customer's behalf under the agreement, and it forms part of that agreement. Its scope is the processing necessary to deliver the FUNEL services the customer has subscribed to, and no other purpose.
Processing begins when the customer first instructs FUNEL to process personal data on its behalf and continues for the term of the agreement. It ends on termination or expiry of the agreement, subject to the return-or-deletion provisions in this DPA and any retention required by law. Provisions that by their nature should survive termination — including confidentiality, audit cooperation in respect of past processing, and liability — survive.
Details of the processing
FUNEL processes personal data on the customer's behalf only to operate the services the customer uses: organising and enriching contact records the customer works with, running outreach the customer configures, and syncing data to the customer's connected systems. The specifics are set out below.
Subject matter
The provision of FUNEL's sales-intelligence and outreach platform to the customer, under which FUNEL processes personal data on the customer's instructions.
Nature and purpose
- Storing, organising, and presenting business contact and company records within the customer's workspace.
- AI-assisted enrichment, structuring, and verification of records the customer chooses to work with.
- Sending and managing email outreach that the customer configures and authorises.
- Syncing records and outreach activity to the customer's connected systems at the customer's direction.
- Providing support, securing the service, and maintaining its availability and integrity.
Categories of data subjects
- Business contacts and professionals whose records the customer imports, builds, enriches, or targets in its workspace.
- The customer's own personnel and authorised users of the service.
- Recipients and prospects the customer engages through outreach campaigns.
Categories of personal data
- Business identifiers — name, professional or job title, employer, and seniority.
- Business contact details — work email address, business phone number, and professional or public profile links.
- Company-association data — role, department, location, and other firmographic context tied to a contact.
- Outreach and engagement data — messages sent, replies, opens, clicks, and campaign status.
- Account and user data for the customer's authorised users, such as name and login email.
- Any additional fields the customer chooses to upload, create, or import into its workspace.
Customer (controller) obligations and instructions
The customer is responsible for the lawfulness of the personal data it processes through FUNEL and for the instructions it gives. The customer warrants that it has a valid legal basis and any required notices or consents in place for FUNEL to process that data on its behalf for the purposes set out in this DPA.
- Provide and maintain documented instructions for FUNEL's processing — the agreement, this DPA, and the configuration choices made through the service constitute those instructions.
- Ensure that the personal data submitted to the service, and the customer's use of the service, comply with Applicable Data Protection Law, including any obligations as a controller toward data subjects.
- Establish and maintain a valid lawful basis for the processing and provide any notices, honour any opt-outs, and obtain any consents required of a controller.
- Respond to data subject requests for which the customer is the controller, using the assistance FUNEL provides under this DPA.
- Not instruct FUNEL to process personal data in a manner that infringes Applicable Data Protection Law; FUNEL may decline or suspend any instruction it reasonably believes would do so and will inform the customer.
- Refrain from submitting special categories of personal data or data of children to the service.
FUNEL (processor) obligations
FUNEL processes personal data only on the customer's documented instructions, keeps it confidential, and protects it with the security measures required by Article 32 of the GDPR. FUNEL will not use personal data processed on the customer's behalf for its own purposes, and it does not sell that personal data for money.
Processing only on documented instructions
FUNEL processes personal data on the customer's behalf solely to provide the services and only as instructed by the customer through the agreement, this DPA, and its configuration of the service — unless required to act otherwise by law, in which case FUNEL will inform the customer in advance unless the law prohibits it.
Confidentiality
FUNEL ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and access it only on a need-to-know basis for delivering the services.
Security measures (Article 32)
Taking account of the state of the art, the costs of implementation, and the nature, scope, context, and risk of the processing, FUNEL maintains appropriate technical and organisational measures to protect personal data, including:
- Encryption of personal data in transit (TLS) and at rest (AES-256).
- Access controls, authentication, and least-privilege restrictions on systems that hold personal data.
- An information-security framework designed to be GDPR-compliant by design and CCPA-aligned.
- Logging, monitoring, and measures to maintain the confidentiality, integrity, availability, and resilience of processing systems.
- Procedures for restoring availability after an incident and for regularly testing and evaluating the effectiveness of these measures.
Sub-processors
The customer gives FUNEL general authorisation to engage sub-processors to help deliver the services. FUNEL imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains fully responsible to the customer for each sub-processor's performance.
FUNEL engages sub-processors in the following categories:
- Cloud hosting provider
- Email delivery provider
- Payment processor
- Analytics and monitoring provider
A current list of the specific sub-processors within these categories is available on request to privacy@funel.to. Before adding or replacing a sub-processor, FUNEL will give the customer reasonable prior notice and an opportunity to object on reasonable data protection grounds. If the customer objects and FUNEL cannot reasonably accommodate the objection, the customer may terminate the affected portion of the services.
International transfers
Where FUNEL transfers personal data processed on the customer's behalf across borders to a country that does not provide an adequate level of protection, FUNEL relies on an appropriate transfer mechanism — such as the Standard Contractual Clauses — together with any supplementary measures needed to protect the data.
The relevant Standard Contractual Clauses (including the UK addendum where applicable) are incorporated into this DPA by reference and apply to such transfers. Where a future adequacy decision or an alternative lawful transfer mechanism becomes available, FUNEL may rely on it instead. FUNEL will provide a copy of the applicable transfer terms on request to privacy@funel.to.
Assistance to the controller
FUNEL provides reasonable assistance to help the customer meet its own obligations as a controller, taking into account the nature of the processing and the information available to FUNEL. This includes support with data subject requests, security, breach handling, data protection impact assessments, and prior consultations with supervisory authorities.
- Data subject requests (DSARs): FUNEL provides tools and, where needed, reasonable support to help the customer respond to requests to access, correct, delete, restrict, port, or object to the processing of their data. If FUNEL receives a request directly relating to the customer's data, it will promptly forward it to the customer rather than respond itself, unless required by law.
- Data protection impact assessments (DPIAs) and prior consultations: FUNEL provides the information reasonably available to it about its processing and security measures to assist the customer's DPIAs and any required consultations with a supervisory authority.
- Security and breach support: FUNEL assists the customer with the security of processing and with meeting its breach-notification obligations, as set out below.
Personal data breach notification
FUNEL notifies the customer without undue delay after becoming aware of a personal data breach affecting personal data processed on the customer's behalf. The notice describes the nature of the breach and the information reasonably available to FUNEL so the customer can meet its own notification obligations.
FUNEL's notice will, to the extent known, describe the nature of the breach and the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it and mitigate harm. FUNEL takes reasonable steps to contain and remediate the breach and cooperates with the customer's reasonable requests in connection with it. FUNEL's notification is not an acknowledgement of fault or liability.
Return or deletion of data on termination
On termination or expiry of the agreement, FUNEL will, at the customer's choice, return or delete the personal data it processes on the customer's behalf, unless retention is required by law. The customer can also delete its data through the service at any time during the term.
Following a deletion request, FUNEL deletes or anonymises the relevant personal data promptly — within approximately 30 days — except where, and only for as long as, applicable law requires it to be retained. Residual copies in routine backups are purged on FUNEL's standard backup cycle and remain protected by this DPA's security measures until they are. On request, FUNEL will confirm in writing that the deletion has been carried out.
Audits and information
FUNEL makes available to the customer the information reasonably necessary to demonstrate compliance with this DPA, and allows for and contributes to audits of its processing conducted by the customer or an independent auditor it mandates, subject to the conditions below.
FUNEL primarily satisfies audit requests by providing its security documentation and summary reports on request to privacy@funel.to. Where Applicable Data Protection Law requires more, the customer may request an audit no more than once a year (or following a personal data breach affecting its data), on reasonable prior written notice, during business hours, without disrupting FUNEL's operations, and subject to confidentiality. The customer bears its own audit costs and reimburses FUNEL's reasonable costs for assistance beyond providing standard documentation.
Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement, and any reference to a party's aggregate liability in the agreement applies to its liability under the agreement and this DPA combined.
Nothing in this DPA limits either party's liability to a data subject or a supervisory authority where such a limit is not permitted by Applicable Data Protection Law. As between the parties, each party is responsible for its own compliance with Applicable Data Protection Law in the role it holds. This DPA, and any dispute relating to it, is governed by the laws of the jurisdiction in which FUNEL is established, consistent with the agreement.
Order of precedence
This DPA forms part of and supplements the agreement between FUNEL and the customer. If there is a conflict between this DPA and the agreement on the subject of personal data processing, this DPA prevails to the extent of the conflict.
- Where the Standard Contractual Clauses or another mandatory transfer mechanism apply, those clauses prevail over this DPA to the extent of any conflict regarding the relevant transfer.
- Subject to the transfer clauses, this DPA prevails over the rest of the agreement on matters of personal data processing.
- On all other matters, the agreement governs.
- This DPA is effective from June 17, 2026. Questions about this DPA, or requests for the sub-processor list, transfer terms, or compliance documentation, can be sent to privacy@funel.to.