Data Processing Agreement

Version 1.1 — Effective Date: May 20, 2026 Enterprise Template SCC Module 2 UK IDTA

This Data Processing Agreement ("DPA") is entered into between the Customer organization identified in the applicable Service Agreement ("Controller" or "Customer") and Resolon LLC ("Processor" or "Company"), collectively referred to as the "Parties."

This DPA supplements and forms part of the Terms of Service and governs the Processor's processing of personal data on behalf of the Controller in connection with the Lead Validator Pro platform. In the event of a conflict between the Terms of Service and this DPA with respect to Personal Data, this DPA controls.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA, including Lead Data as defined in the Terms of Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the natural person to whom Personal Data relates.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Applicable Data Protection Laws" means all applicable federal, state, and (where the Controller so requires) international data protection and privacy laws, including GLBA, CCPA/CPRA, TDPSA, VCDPA, CPA, CTDPA, GDPR, and UK GDPR, and any successor or implementing legislation.
"SCCs" means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.
"UK IDTA" means the United Kingdom International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office (Version B1.0, in force 21 March 2022), as amended or replaced.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller for the purpose of providing insurance lead validation, quality scoring, fraud detection, and related analytical services.

2.2 Categories of Data Subjects

Insurance lead prospects (consumers whose data is submitted for validation)
Controller's employees and authorized users (account credentials and usage data)

2.3 Types of Personal Data Processed

Category	Data Elements
Identity Data	Name, date of birth, gender
Contact Data	Phone number, email address, mailing address
Vehicle Data	VIN, make, model, year, registration state
Driver's License Data	DL number, state, status, expiration
Insurance Data	Current carrier, policy expiration, coverage type, claims history
Property Data	Ownership status, property type, valuation, characteristics
Financial Indicators	Estimated income range, credit tier (when provided)
Authentication Data (Authorized Users only)	Hashed credentials (held by WorkOS), TOTP seeds, session cookies, IP/User-Agent at auth time

2.4 Processing Purposes

Identity and contact verification across multiple data sources
Address validation and property record matching
Vehicle and driver's license verification via authorized databases (per DPPA)
AI-powered legitimacy scoring and fraud pattern detection
Household composition analysis for multi-policy opportunities
Disposition recommendation generation
Compliance reporting and audit trail maintenance
Training, calibrating, and improving the Processor's validation algorithms, scoring models, and fraud detection systems using Lead Data, including in derivative and aggregated forms
Generating aggregated industry benchmarks, lead quality metrics, and derivative data products

2.5 Derivative Data Rights

The Controller acknowledges and agrees that the Processor has the rights set out in the Terms of Service, Section 10 to create, use, license, sell, and otherwise commercialize derivative works (including aggregated datasets, statistical models, benchmarks, validation patterns, scoring calibrations, fraud detection signatures, and de-identified data products) from the Processing of Personal Data. Such derivative data, when in a form that cannot reasonably identify any individual Data Subject, is the exclusive and irrevocable property of the Processor, survives termination of this Agreement, and is not subject to the data return or deletion obligations in Section 7. The Controller's grant of this right is a material part of the consideration for the Processor's pricing and service availability and is not severable from this DPA.

3. Processor Obligations

Process Personal Data only on documented instructions from the Controller and as permitted under this Agreement (including Section 2.5, Derivative Data Rights), unless required by Applicable Data Protection Law
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures (see Annex II)
Engage Sub-processors only in accordance with Section 4
Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests from Data Subjects to exercise their rights
Assist the Controller in ensuring compliance with security, breach-notification, data protection impact assessment, and prior consultation obligations where applicable
Delete or return all individually identifiable Personal Data upon termination, at the Controller's choice (see Section 7); derivative and aggregated data is retained per Section 2.5
Make available all information necessary to demonstrate compliance and allow for audits (see Section 9)
Immediately inform the Controller if an instruction infringes Applicable Data Protection Law

4. Sub-processors

4.1 Authorized Sub-processors

The Controller provides general written authorization for the Processor to engage the Sub-processors identified at /subprocessors, which is incorporated into this DPA by reference and forms Annex III. The current list (as of the effective date above) is:

Sub-processor	Purpose	Data Processed	Location
Render Services, Inc.	Application hosting, managed Postgres, daily managed snapshots	All Personal Data at rest	USA (Ohio)
Cloudflare, Inc.	DNS, WAF, Zero Trust Access, Turnstile, edge CDN, inbound email Worker	Source IP, User-Agent, request headers/paths, inbound lead email contents	Global edge
WorkOS, Inc.	Identity, password storage, session management, MFA, SSO	Subscriber email, hashed password, IP/UA at auth time	USA
Stripe, Inc.	Subscription billing, payment processing, customer portal	Billing contact, tokenized card, invoice history. No PAN held by Processor.	USA (global)
Resend, Inc.	Transactional email delivery	Recipient email, subject and body (may include lead identifiers per Customer-configured templates), delivery telemetry	USA
Functional Software, Inc. d/b/a Sentry	Error and performance monitoring	Stack traces, environment fingerprints, scrubbed request context. Server-side PII scrubbing applied.	USA
Anthropic PBC	AI analysis engine (Claude API)	Lead data fields for legitimacy analysis. No persistent storage by Anthropic under API terms.	USA
Enformion, Inc. (EndatoGO)	Identity verification, contact enrichment	Name, address for identity matching and enrichment	USA
IPQualityScore LLC	Email and phone fraud scoring	Email address, phone number for fraud analysis	USA
Smarty, LLC	Property data validation	Street address only	USA
Google LLC	Maps API, geocoding, Street View	Street address only	USA
Telegram Messenger Inc.	Operational alerting to Customer-administered chats	Message contents configured by the Customer	Global

4.2 Sub-processor Changes

The Processor shall notify the Controller at least 30 days before engaging a new Sub-processor or replacing an existing one, by updating /subprocessors and, for Customers who have subscribed to sub-processor notifications, by email to the Customer's designated contact. The Customer may object in good faith on reasonable data-protection grounds within 14 days of notification. If the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service on written notice; the Customer will receive a prorated refund for any unused prepaid term.

4.3 Sub-processor Obligations

Each Sub-processor is bound by a written agreement (or by the Sub-processor's standard published DPA) imposing data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its Sub-processors.

5. Security Measures

The technical and organizational measures the Processor implements are set out in Annex II to this DPA. Annex II forms an integral part of this DPA for the purposes of Article 32 GDPR and analogous obligations under Applicable Data Protection Laws.

6. Data Subject Rights

The Processor provides self-service tools and documented APIs to enable the Controller to respond to Data Subject requests, including:

Self-serve erasure (CCPA right-to-delete / GDPR Art. 17): POST /api/privacy/erasure-request
Self-serve portability (CCPA right-to-know / GDPR Art. 20): POST /api/privacy/portability-request
Authenticated tenant-admin deletion: Settings › Privacy › Data Deletion
Authenticated tenant-admin export: Settings › Privacy › Data Export

Where the Processor receives a request directly from a Data Subject, the Processor will promptly forward the request to the Controller and will not respond on the merits except on the Controller's documented instructions (or as required by Applicable Data Protection Law).

7. Data Return and Deletion

7.1 Upon Termination

Upon termination or expiration of the Service Agreement:

The Controller may request a complete export of all individually identifiable Personal Data in JSON or CSV format within 30 days
After the 30-day export window (or upon written instruction), the Processor shall permanently delete all individually identifiable Personal Data from active systems within 14 days
Personal Data in backup systems shall age out per the Processor's standard managed-snapshot retention (Render managed snapshots) and be deleted at the end of that schedule
The Processor shall provide written confirmation of deletion upon request
Derivative and aggregated data (Section 2.5) is not subject to deletion

7.2 Retention Exceptions

The Processor may retain Personal Data beyond the termination date only to the extent required by Applicable Data Protection Law (e.g., audit logs required for regulatory compliance; billing records for tax retention). Such data shall be segregated and protected, and deleted when the legal requirement expires.

8. Liability

Each Party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither Party's liability for breaches of this DPA relating to data protection obligations shall be limited to the extent prohibited by Applicable Data Protection Law. Nothing in this DPA limits the Controller's indemnification obligations under Sections 5.3 (TCPA) and 12 (Indemnification) of the Terms of Service.

9. Audit Rights

The Controller may, no more than once per twelve (12) month period (except as required by Applicable Data Protection Law, in which case more frequent audits are permitted), audit the Processor's compliance with this DPA, with at least 30 days' prior written notice, during normal business hours, under reasonable confidentiality obligations, and at the Controller's expense.

The Processor may fulfill the audit right by providing (i) its most recent third-party security assessment, penetration-test summary, or compliance attestation (e.g., SOC 2 Type II once attested) and (ii) written responses to the Controller's reasonable inquiries. Where the Controller requires an on-site audit, the Parties will cooperate in good faith to agree on scope, timing, and cost. Nothing in this Section limits a supervisory authority's statutory audit rights.

10. Term and Termination

This DPA takes effect on the date the Controller begins using the Service and remains in effect as long as the Processor processes Personal Data on behalf of the Controller. The Processor's obligations under Sections 5 (Security), 11 (Personal Data Breach Notification), 7 (Return and Deletion), and 13 (International Data Transfers) survive termination to the extent applicable.

11. Personal Data Breach Notification (Processor to Controller)

24-Hour Notification Commitment

The Processor will notify the Controller of a confirmed Data Breach affecting the Controller's Personal Data without undue delay and in any event within twenty-four (24) hours of the Processor's confirmation of the Data Breach. The 24-hour clock starts when the Processor's incident response team has confirmed the Breach (not when an alert first fires).

11.1 Notification Contents

The initial notification will include, to the extent then known:

Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
Name and contact details of the Processor's privacy/security contact
Description of the likely consequences of the breach
Description of measures taken or proposed to address the breach, including mitigation of potential adverse effects
Timeline of events from detection through containment

11.2 Cooperation

The Processor shall cooperate with the Controller and provide all reasonably requested information to enable the Controller to fulfill its own breach notification obligations under GDPR Article 33, CCPA Cal. Civ. Code § 1798.82, TDPSA Tex. Bus. & Com. Code § 521.053, and analogous laws (including the CCPA 30-day notification requirement for breaches affecting 500+ California residents).

12. International Data Transfers

12.1 Primary Processing Location

Primary Processing occurs in the United States. The Processor hosts its production infrastructure with Render (US-East / Ohio region) and Cloudflare (global edge, configurable). The Service is offered to Customers established in the United States; if the Controller chooses to submit Personal Data originating in the EEA, the UK, or Switzerland, the safeguards in this Section 12 apply.

12.2 Standard Contractual Clauses (Module 2)

Where Personal Data is transferred from the European Economic Area to the Processor in the United States or to a Sub-processor outside the EEA, the Parties incorporate by reference the Standard Contractual Clauses, Module 2 (Controller-to-Processor) annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, with the following specifications:

Clause 7 (Docking): Optional docking clause does not apply.
Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies; notification period is 30 days per Section 4.2.
Clause 11 (Redress): Optional independent redress language does not apply.
Clause 17 (Governing law): Irish law governs the SCCs.
Clause 18 (Choice of forum): Courts of Ireland have jurisdiction for the SCCs.

12.3 UK International Data Transfer Addendum

For Personal Data originating in the United Kingdom, the UK International Data Transfer Addendum is incorporated and takes precedence over the SCCs to the extent of any conflict with the IDTA. Annex 1A, 1B, and 2 of the IDTA correspond to Annex I.A, I.B, and II of this DPA, respectively. The "Approved Addendum" version is Version B1.0, in force 21 March 2022, as amended.

12.4 Transfer-Impact Assessment

The Processor will cooperate in good faith with the Controller on any transfer-impact assessment reasonably required under Applicable Data Protection Law, and will make available Annex II (TOMs) and the Sub-processor list to support that assessment.

13. Miscellaneous

This DPA is governed by the law stated in the Terms of Service (Texas), except where mandatory Applicable Data Protection Law requires otherwise (including, for SCC-governed transfers, Irish law per Clause 17). If any provision of this DPA is held invalid, the remaining provisions continue in full force. Amendments must be in writing and signed by both Parties (or, in the case of routine Sub-processor list updates, posted at /subprocessors per Section 4.2).

Annex I — Description of Processing

Annex I.A — List of Parties

Data Exporter (Controller): The Customer identified in the applicable Order Form or subscription record. Contact, role, and signature: as set out in the Service Agreement.

Data Importer (Processor): Resolon LLC, a Texas limited liability company doing business as "Lead Validator Pro," 1202 E US HWY 175 Suite A, Crandall, TX 75114, United States. Contact for data protection matters: legal@leadvalidatorpro.com; security matters: security@leadvalidatorpro.com; privacy matters: privacy@leadvalidatorpro.com.

Annex I.B — Description of Transfer

Categories of Data Subjects: Insurance-lead prospects (consumers) whose data is submitted by the Controller; the Controller's authorized users.
Categories of Personal Data: as described in Section 2.3.
Special categories of Personal Data: None, unless submitted by the Controller. The Controller is responsible for the legal basis for any Article 9 GDPR data it elects to submit.
Nature and purpose of the Processing: Automated validation, scoring, enrichment, fraud detection, disposition, reporting, and the derivative-data purposes in Sections 2.4 and 2.5.
Duration of the Processing: Duration of the Service Agreement plus the deletion window in Section 7. Derivative data per Section 2.5 is retained indefinitely.
Frequency of transfer: Continuous during the Service Agreement.

Annex I.C — Competent Supervisory Authority

The supervisory authority of the EU/EEA member state in which the Controller is established, or, where the Controller is not established in the EU/EEA, the Irish Data Protection Commission as the supervisory authority under SCC Clause 13(a)(iii).

Annex II — Technical and Organizational Measures

The Processor implements and maintains the following measures, which are deemed Article 32 GDPR TOMs and equivalent safeguards under analogous Applicable Data Protection Laws (including the FTC Safeguards Rule, 16 C.F.R. Part 314):

II.1 Encryption

TLS 1.2+ in transit on all client-server and Processor-to-Sub-processor links; HTTPS enforced via Cloudflare; WebSocket connections use WSS.
Encryption at rest at the storage layer for the Render Managed Postgres production database and managed snapshots.

II.2 Access Control

Identity, password storage, and session management are provided by WorkOS (SOC 2 Type II). Passwords are hashed by WorkOS using industry-standard algorithms; passwords are not stored by the Processor.
Sessions use sealed JWE cookies (encrypted-and-signed) with rotation per WorkOS recommendations; cookies are httpOnly, Secure, SameSite-restricted.
TOTP MFA (RFC 6238) is supported and required for privileged roles (admin, producer, super_admin).
JWT-based application sessions with CSRF token validation on state-changing endpoints.
Role-based access control (RBAC) with principle of least privilege.
Row-level multi-tenant isolation enforced at the database via Postgres RLS and SET LOCAL app.current_org_id per transaction.

II.3 Network and Application Security

Cloudflare WAF, Zero Trust Access on operator surfaces, Turnstile bot-protection on public signup and authentication surfaces.
Rate limiting per Subscriber and per IP on sensitive endpoints.
Parameterized queries throughout the application; server-side input validation.
Strict Content Security Policy, HSTS, X-Frame-Options: DENY, CORS restricted to production domains.

II.4 Logging and Monitoring

Structured JSONL audit logs with PII redaction.
Append-only retention for one (1) year on security and audit logs.
Sentry error tracking with server-side data scrubbing (PII keys, request bodies, session tokens dropped).
Real-time alerting on authentication anomalies, rate-limit triggers, and security events.

II.5 Incident Response

Documented Incident Response Plan at /incident-response.
24-hour Processor-to-Controller breach notification SLA (Section 11).
Annual review of the IRP; semi-annual tabletop exercise cadence.

II.6 Personnel

Confidentiality obligations in employment and contractor agreements.
Least-privilege production access; access reviewed periodically.
Security awareness expectation for all engineering personnel.

II.7 Sub-processor Management

Written agreements (or published DPAs) with all Sub-processors imposing data protection obligations no less protective than those in this DPA.
Sub-processor list published at /subprocessors; 30-day prior notice of changes (Section 4.2).

II.8 Business Continuity

Daily Render-managed Postgres snapshots; Render point-in-time recovery over a 7-day window.
Documented Disaster Recovery procedures; recovery point objective and recovery time objective tracked internally.

II.9 Change Management

Pull-request-gated production deploys with mandatory code review.
Automated test gating; immutable git history.
Secrets stored in Render environment variables with restricted deploy access; secrets are not present in source-control.

II.10 Audit

SOC 2 Type II readiness in progress (target: calendar year 2026); readiness materials maintained internally.
Enterprise customers may request a current security questionnaire (SIG-Lite or CAIQ-Lite format) by emailing security@leadvalidatorpro.com.

Annex III — Sub-processors

The authoritative list of Sub-processors, including legal entity, purpose, jurisdiction, certifications, and privacy-policy links, is published at /subprocessors and is incorporated into this DPA by reference. The list current as of the effective date of this DPA is reproduced in Section 4.1 above.

Signatures

By signing below, the Parties agree to be bound by the terms of this Data Processing Agreement.

Controller (Customer)

Authorized Signature

Printed Name and Title

Date

Processor (Resolon LLC)

Authorized Signature

Printed Name and Title

Date