CogniLead
Sign in
Template for review — not legal advice

This document is a template published by CogniLead GmbH (in formation). CogniLead does not provide legal advice. Have your Data Protection Officer and legal counsel review before relying on this version in production. Last updated: 2026-06-03.

Legal

Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the CogniLead Terms of Service and governs the processing of Personal Data by CogniLead as a Processor on behalf of the Customer as a Controller. It is drafted to satisfy Article 28 of the GDPR and the equivalent provisions of the Swiss revFADP.

1. Definitions

  • Controller — the Customer, who determines the purposes and means of the processing.
  • Processor — CogniLead, which processes Personal Data on behalf of the Controller.
  • Sub-processor — any third party engaged by CogniLead to process Personal Data on behalf of the Controller.
  • Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • Data Subject — the individual to whom the Personal Data relates. For CogniLead, these are the recipients of the Customer's outbound emails: corporate role holders contacted at corporate email addresses.
  • Processing — any operation performed on Personal Data, including collection, storage, structuring, use, disclosure, and erasure.

2. Subject matter

CogniLead processes Personal Data on behalf of the Customer for the purpose of operating the Customer's outbound communication pipelines. This includes ingesting public technical signals, generating personalized pitches, dispatching email, recording the full audit trail through Chainlog, and producing GDPR evidence packs on request.

3. Duration

This DPA applies for the term of the Customer's subscription and for any post-termination retention period explicitly required for legal or evidentiary purposes (such as the 7-year retention of send-event audit records). On request the Customer may instruct earlier deletion, subject to the limits in section 7.

4. Nature and purpose

The processing activities cover:

  • Running outbound email pipelines on behalf of the Customer.
  • Scoring leads against the Customer's criteria and jurisdiction rules.
  • Generating personalized pitches via the LLM provider the Customer has configured.
  • Persisting an immutable audit trail of every send, decision, and policy gate result.
  • Producing evidence packs and Data Subject Right responses on request.

5. Categories of data subjects

The Personal Data we process on behalf of the Customer relates to recipients of cold outbound communications — specifically corporate role holders contacted at a corporate email address (such as engineering@, hiring@, or a named professional inbox). We do not process personal or private contact information of consumers.

6. Categories of personal data

  • Identifiers: corporate email address and role class (for example “engineering lead”, “security officer”).
  • Professional context: job posting URL, company domain, technical hook text derived from public sources.
  • Send metadata: subject lines, message identifiers, delivery and engagement events, suppression status.

We do not process special categories of personal data within the meaning of Article 9 GDPR, and we do not process data relating to criminal convictions within the meaning of Article 10 GDPR.

7. Obligations of the processor

In line with Article 28(3) GDPR, CogniLead undertakes to:

  • Process Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country. The Customer's configuration in the dashboard and API constitutes documented instructions.
  • Ensure that personnel authorized to process Personal Data are under appropriate contractual confidentiality obligations.
  • Implement the technical and organizational measures required by Article 32 GDPR. The current measures are described at /legal/security and summarized in Annex 2.
  • Assist the Controller in fulfilling its obligation to respond to Data Subject requests under Articles 12 to 22 GDPR, including access, rectification, erasure, restriction, portability and objection.
  • Assist the Controller with the obligations under Articles 32 to 36 GDPR, including notifying the Controller of a Personal Data breach without undue delay (in practice, within 48 hours of discovery).
  • On termination of the services, and at the choice of the Controller, delete or return all Personal Data, unless retention is required by Union or Member State law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA. Customers may audit CogniLead's controls once per calendar year on 30 days written notice, at the Customer's cost, conducted during business hours and subject to confidentiality.

8. Sub-processors

The Controller grants general written authorization for the engagement of the sub-processors listed in Annex 3. CogniLead will give at least 30 days notice of any intended addition or replacement, by email to the address on file and by an update to this page. The Controller may object on reasonable grounds during that notice period; if no commercially reasonable resolution can be found, the Controller may terminate for cause.

9. International transfers

By default, Personal Data is processed within the European Union or within Switzerland, depending on the jurisdiction selected by the Controller. Where a sub-processor processes Personal Data outside the EEA or Switzerland, CogniLead relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum and the Swiss equivalent recognized by the FDPIC.

Where the Controller explicitly configures a non-EU LLM provider using its own API key, that configuration constitutes the Controller's instruction to transfer Personal Data to that jurisdiction. CogniLead will not select such a provider on the Controller's behalf.

10. Liability

The aggregate liability of each party under or in connection with this DPA is capped at the fees paid by the Customer to CogniLead in the twelve months preceding the event giving rise to the claim. Neither party is liable for indirect, consequential, special or punitive damages. Nothing in this section limits liability that cannot be excluded under applicable law.

11. Term and termination

This DPA is co-terminus with the main agreement between the Controller and CogniLead. On termination, sections that by their nature should survive (in particular, confidentiality, audit rights for completed periods, and post-termination data return or deletion obligations) survive.

Annex 1 — Description of processing activities

CogniLead processes Personal Data on the Controller's documented instructions for the following activities:

  • Ingesting public technical signals indicated by the Controller.
  • Generating personalized cold outbound pitches grounded in those signals.
  • Dispatching email through the Customer's configured sender domains.
  • Recording every step in an immutable Chainlog audit chain bound to the Controller's tenant.
  • Honoring suppression and Data Subject Rights requests.
  • Producing GDPR evidence packs (JSON and PDF) on request, scoped to the Controller's tenant.

Annex 2 — Technical and organizational measures

The canonical, continuously updated list is published at /legal/security. The key measures applicable to this DPA include:

  • TLS 1.3 for all traffic in transit.
  • AES-256 encryption at rest.
  • Multi-factor authentication enforced on the dashboard.
  • Postgres Row Level Security on every table keyed by tenant_id, verified by independent penetration test before public GA.
  • Secrets segregation via Supabase Vault; no tenant secrets in environment variables.
  • Argon2id-hashed API keys at rest, displayed only at the moment of creation.
  • Daily encrypted backups with 30-day retention in a geographically separate region within the same jurisdiction.
  • Audit logging of every dashboard action and every API call to Chainlog, with tenant_id, actor, action, resource, ip.
  • Incident response: 4-hour pager rotation, breach notification to the Controller within 48 hours of discovery, public post-mortem within 7 days.

Annex 3 — Sub-processors

  • Supabase — authentication, Postgres database, Storage, Vault. EU region by default; CH region available.
  • Resend — transactional and outbound email dispatch.
  • Vercel — Next.js application hosting.
  • Cloudflare — edge network, DDoS protection.
  • Stripe — billing and invoicing (when paid plans are enabled).
  • Per-tenant LLM providers (configured by Customer): Gemini (Google), OpenAI, Mistral, Anthropic, Infomaniak. Only providers explicitly configured by the Customer receive any Personal Data.

The current sub-processor list is mirrored on the Privacy Policy and updated in lockstep.