data processing agreement.

01 · parties and scope

This Data Processing Agreement (“DPA”) is entered into between the Client (“Controller”) identified in the Statement of Work and Spectra Acquisition Ltd. (“Processor”). It applies whenever Spectra processes personal data on behalf of the Controller in connection with the services, and forms part of the Master Services Agreement between the parties. It is intended to comply with UK GDPR, the EU General Data Protection Regulation (Regulation (EU) 2016/679), and applicable state-level US privacy law including CCPA/CPRA.

02 · subject-matter and duration

03 · processor obligations

• process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by law.
• ensure that personnel authorised to process the data are bound by confidentiality obligations.
• implement appropriate technical and organisational measures including encryption in transit and at rest, MFA, least-privilege access, and logged audit trails (see Annex II).
• assist the Controller in responding to data-subject requests and in meeting its obligations under Articles 32–36 of the GDPR.
• at the Controller's choice, delete or return all personal data at the end of the engagement, and delete existing copies unless retention is required by law.
• make available to the Controller all information necessary to demonstrate compliance, and allow for audits on reasonable notice.

04 · sub-processors

The Controller authorises Spectra to engage sub-processors subject to the conditions in Article 28(2)–(4) of the UK GDPR. A current list is maintained at /legal/sub-processors. Spectra will notify the Controller of any intended changes at least 30 days before they take effect, giving the Controller the opportunity to object. Sub-processors are bound by written terms imposing substantially the same data-protection obligations as those set out in this DPA.

05 · international transfers

Where processing involves the transfer of personal data outside the UK or EEA, such transfers are made subject to the UK International Data Transfer Addendum or the EU Standard Contractual Clauses (2021/914), as applicable, together with supplementary measures appropriate to the destination country.

06 · personal-data breaches

Spectra will notify the Controller without undue delay — and in any event within 48 hours — after becoming aware of a personal-data breach affecting the Controller's data, providing sufficient information for the Controller to meet its Article 33 obligations.

07 · liability and precedence

Each party's liability under this DPA is subject to the exclusions and limitations set out in the Master Services Agreement. In the event of conflict between this DPA and the MSA, the terms of this DPA prevail in respect of the processing of personal data.

annex i · processing details

data importer

Spectra Acquisition Ltd., Kington, London, UK. Data protection contact: info@spectraacquisition.com.

processing activities

• list construction and enrichment from lawful sources
• email and LinkedIn outbound on domains and accounts provisioned by Spectra or the Controller
• reply triage and booking into the Controller's calendar
• synchronisation of engagement metadata back into the Controller's CRM
• measurement, reporting, and optimisation

annex ii · technical & organisational measures

• encryption in transit (TLS 1.2+) and at rest on all stores
• MFA on every operator account; SSO where supported by the sub-processor
• role-based access control with least-privilege defaults and quarterly access reviews
• separate production and working environments; no shared credentials
• centralised, immutable logging of data access and changes; 12-month retention
• documented incident-response plan with tabletop exercises twice a year
• written data-deletion procedure invoked at engagement end or on Controller request