← Back to Lead Validator Pro
Data Processing Agreement
Version 1.0 — Effective Date: March 4, 2026 Enterprise Template
This Data Processing Agreement ("DPA") is entered into between the Customer organization identified in the applicable Service Agreement ("Controller" or "Customer") and Lead Validator Pro LLC ("Processor" or "Company"), collectively referred to as the "Parties."
This DPA supplements and forms part of the Terms of Service and governs the Processor's processing of personal data on behalf of the Controller in connection with the Lead Validator Pro platform.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA, including Lead Data as defined in the Terms of Service.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Applicable Data Protection Laws" means all applicable federal and state data protection and privacy laws, including GLBA, CCPA/CPRA, TDPSA, and any successor legislation.
2. Scope and Purpose of Processing
2.1 Subject Matter
The Processor processes Personal Data on behalf of the Controller for the purpose of providing insurance lead validation, quality scoring, fraud detection, and related analytical services.
2.2 Categories of Data Subjects
- Insurance lead prospects (consumers whose data is submitted for validation)
- Controller's employees and authorized users (account credentials and usage data)
2.3 Types of Personal Data Processed
| Category | Data Elements |
|---|
| Identity Data | Name, date of birth, gender |
| Contact Data | Phone number, email address, mailing address |
| Vehicle Data | VIN, make, model, year, registration state |
| Driver's License Data | DL number, state, status, expiration |
| Insurance Data | Current carrier, policy expiration, coverage type, claims history |
| Property Data | Ownership status, property type, valuation, characteristics |
| Financial Indicators | Estimated income range, credit tier (when provided) |
2.4 Processing Purposes
- Identity and contact verification across multiple data sources
- Address validation and property record matching
- Vehicle and driver's license verification via authorized databases
- AI-powered legitimacy scoring and fraud pattern detection
- Household composition analysis for multi-policy opportunities
- Disposition recommendation generation
- Compliance reporting and audit trail maintenance
3. Processor Obligations
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 5)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with data breach notification obligations
- Delete or return all Personal Data upon termination, at the Controller's choice (see Section 7)
- Make available all information necessary to demonstrate compliance and allow for audits
- Immediately inform the Controller if an instruction infringes applicable data protection law
4. Sub-processors
4.1 Authorized Sub-processors
The Controller provides general written authorization for the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|
| Google LLC | Cloud infrastructure, Maps API, geocoding, Street View | Address data, property imagery requests | USA |
| Trestle IQ Inc. | Phone carrier intelligence (RealContact API) | Phone numbers for carrier/line-type lookup | USA |
| Anthropic PBC | AI analysis engine (Claude API) | Lead data fields for legitimacy analysis; no persistent storage by Anthropic under API terms | USA |
| Enformion Inc. (EndatoGO) | Identity verification, contact enrichment | Name, address for identity matching and enrichment | USA |
| IPQualityScore LLC (IPQS) | Email and phone fraud scoring | Email address, phone number for fraud analysis | USA |
| ATTOM Data Solutions LLC | Property data validation | Address for property records lookup | USA |
4.2 Sub-processor Changes
The Processor shall notify the Controller at least 30 days before engaging a new Sub-processor or replacing an existing one. The Controller may object to the change within 14 days. If the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.
4.3 Sub-processor Obligations
Each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA. The Processor remains fully liable for the acts and omissions of its Sub-processors.
5. Security Measures
The Processor implements and maintains the following technical and organizational security measures:
5.1 Technical Measures
- Encryption in Transit: TLS 1.2+ for all API communications; HTTPS enforced via Cloudflare edge proxying
- Encryption at Rest: AES-256 encryption for sensitive data fields; SQLite databases with restricted file permissions (0600)
- Authentication: Argon2id password hashing; JWT-based session management with refresh token rotation; optional TOTP-based multi-factor authentication
- Access Control: Role-based access control (RBAC) with principle of least privilege; per-organization data isolation
- Network Security: Cloudflare WAF, DDoS protection, bot management; Cloudflare Turnstile CAPTCHA on authentication endpoints
- API Security: Rate limiting per endpoint and per IP; CSRF token validation; input sanitization and parameterized queries
- Monitoring: Real-time security event logging; automated suspicious activity detection; login anomaly alerts
5.2 Organizational Measures
- Access to production systems restricted to authorized personnel
- Employee background checks and confidentiality agreements
- Regular security awareness training
- Documented incident response plan (see Incident Response Plan)
- Periodic security assessments and penetration testing
- Comprehensive audit logging of all data access and administrative actions
6. Data Breach Notification
72-Hour Notification Commitment
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller's Personal Data.
6.1 Breach Notification Contents
The notification shall include, to the extent available:
- Description of the nature of the breach, including categories and approximate number of data subjects and records affected
- Name and contact details of the Processor's privacy/security contact
- Description of the likely consequences of the breach
- Description of measures taken or proposed to address the breach, including mitigation of potential adverse effects
- Timeline of events from detection through containment
6.2 Cooperation
The Processor shall cooperate with the Controller and provide all reasonably requested information to enable the Controller to fulfill its own breach notification obligations under applicable law (including the CCPA 30-day notification requirement for California residents).
7. Data Return and Deletion
7.1 Upon Termination
Upon termination or expiration of the Service Agreement:
- The Controller may request a complete export of all Personal Data in JSON or CSV format within 30 days
- After the 30-day export window (or upon written instruction), the Processor shall permanently delete all Personal Data from active systems within 14 days
- Personal Data in backup systems shall be deleted within 30 days of primary deletion
- The Processor shall provide written confirmation of deletion upon request
7.2 Retention Exceptions
The Processor may retain Personal Data beyond the termination date only to the extent required by applicable law (e.g., audit logs required for regulatory compliance). Such data shall be segregated and protected, and deleted when the legal requirement expires.
8. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA:
- Up to once per year during the term of the agreement, with 30 days' prior written notice
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
- The Controller may engage a qualified, independent third-party auditor (bound by confidentiality) to conduct the audit
- The Processor shall provide reasonable access to relevant facilities, systems, and documentation
- Audit costs are borne by the Controller, unless the audit reveals material non-compliance, in which case the Processor bears the cost
9. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party's liability for breaches of this DPA relating to data protection obligations shall be limited to the extent prohibited by applicable law.
10. Term and Termination
This DPA takes effect on the date the Controller begins using the Service and remains in effect as long as the Processor processes Personal Data on behalf of the Controller. The Processor's obligations under Sections 5, 6, and 7 survive termination.
Signatures
By signing below, the Parties agree to be bound by the terms of this Data Processing Agreement.
Controller (Customer)
Authorized Signature
Printed Name and Title
Date
Processor (Lead Validator Pro LLC)
Authorized Signature
Printed Name and Title
Date