Effective date: 01.07.2025
This document is an appendix to, and forms part of, the Terms of Service (the “Terms”) between the Customer (hereinafter the “Data Controller” or “Controller”) and Maelstrom OÜ (hereinafter “Findaroo” or the “Processor”). Each is a “Party” and together the “Parties”.
Capitalised terms not defined here have the meaning given in the Terms.
1.1 Subject Matter. The Processor Processes Personal Data on behalf of the Controller to provide Findaroo services that assist in finding, verifying, cleaning, enriching, deduplicating and updating business contact data, including algorithmic generation and verification of professional email addresses (the “Services”).
1.2 Duration. This DPA applies for the term of the Terms and until Personal Data is deleted or returned per Section 11.
1.3 Nature & Purpose. Processing includes collection, generation, validation, enrichment, matching, deduplication, storage, transmission and deletion of Personal Data as necessary to deliver and secure the Services and meet legal obligations.
1.4 Data & Subjects. Types of Personal Data and categories of Data Subjects are specified in Annex I.
2.1 Roles. The Controller determines the purposes and means of the Processing. The Processor acts solely as processor of Personal Data for the Services.
2.2 Instructions. The Processor shall Process Personal Data only on documented instructions from the Controller (including settings and API calls within the Services), unless Union or Member State law requires otherwise, in which case the Processor will inform the Controller (unless legally prohibited).
2.3 Unlawful Instructions. If, in the Processor’s opinion, an instruction infringes applicable data protection law, the Processor will promptly notify the Controller and may suspend that instruction.
2.4 Controller responsibilities. The Controller ensures a lawful basis, provides required transparency notices (including GDPR Art. 14 where applicable), responds to data-subject requests, and issues lawful instructions. The Controller warrants it will not provide special category data or children’s data and will ensure submissions are accurate and limited to what is necessary.
The Processor ensures that persons authorised to Process Personal Data are bound by confidentiality and receive appropriate data protection training, with role-based, least-privilege access.
4.1 TOMs. The Processor implements appropriate technical and organisational measures (“TOMs”) per Article 32 GDPR, described in Annex II.
4.2 Encryption. Personal Data is encrypted in transit (TLS 1.2+). The Processor does not apply encryption at rest to Controller Personal Data in production data stores; compensating controls include least-privilege access, network isolation, and monitoring.
4.3 Resilience & Continuity. Service resilience is provided via provider-level redundancy. The Processor does not maintain persistent backups of Controller Personal Data.
4.4 Minimisation & Retention. The Processor minimises Personal Data and retains it only as specified in Annex I or as instructed by the Controller.
5.1 Authorised Sub-Processors. Sub-Processors are listed in Annex III. Each is bound by written terms that are no less protective than this DPA.
5.2 Changes. The Processor will provide at least 30 days’ prior notice of intended additions or replacements. If the Controller reasonably objects on data-protection grounds, the Parties will seek a solution; failing that, the Controller may terminate the affected Services with a pro-rated refund of prepaid unused fees.
5.3 Liability. The Processor remains fully liable for Sub-Processors’ performance.
6.1 EEA-only. Processing and hosting occur exclusively within the EEA.
6.2 Future transfers. If a transfer outside the EEA becomes necessary, the Processor will comply with Chapter V GDPR, including the EU Standard Contractual Clauses (2021/914) and appropriate safeguards, and will update the Sub-Processor list and this DPA as needed.
7.1 Data-Subject Rights. Taking into account the nature of Processing, the Processor will assist the Controller in responding to requests under Chapter III GDPR. If a request is made directly to the Processor, it will promptly forward it to the Controller and refrain from responding unless instructed.
7.2 Security, DPIAs & Consultation. The Processor will provide reasonable assistance regarding security obligations, DPIAs and prior consultations, considering the nature of Processing and information available to the Processor.
8.1 Notice. The Processor will notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Personal Data Processed for the Controller.
8.2 Content & Updates. The notice will include information reasonably available to assist the Controller with its obligations and will be updated as further details emerge.
8.3 Mitigation. The Processor will take appropriate steps to mitigate effects and prevent recurrence.
The Processor will make available a documentation pack sufficient to demonstrate compliance with Article 28 GDPR and will respond in writing to reasonable security questionnaires. This fulfils the Controller’s audit right. Audits are limited to remote reviews of documentation and written Q&A, no more than once every 12 months (or following a material Personal Data Breach), with 30 days’ prior notice. On-site inspections or access to live production systems/data are excluded, except where required by applicable law or a competent supervisory authority. Information may be redacted to protect security, trade secrets, and other customers’ data. Each Party bears its own costs.
10.1 No independent use. The Processor will not Process Personal Data for its own purposes.
10.2 Aggregated/de-identified statistics. The Controller authorises the Processor to generate Aggregated or De-identified statistics (e.g., deliverability rates by domain) to maintain, secure and improve the Services, provided such outputs do not identify any data subject or the Controller. No Personal Data is used to train models unless expressly instructed in writing.
11.1 During term. The Controller may export Personal Data via available tools/APIs.
11.2 End of Processing. Upon termination/expiry or on written request, the Processor will delete (or, at the Controller’s election, return) all Personal Data and delete existing copies within 30 days, unless Union or Member State law requires storage. The Processor does not maintain persistent backups.
11.3 Certification. On request, the Processor will certify deletion/return in writing.
The Processor maintains Article 30(2) GDPR records for Processing carried out on behalf of the Controller and will make them available to the supervisory authority upon request.
13.1 Liability. Each Party’s liability under this DPA is subject to the limitations in the Terms, unless prohibited by law.
13.2 Precedence. In a conflict between this DPA and the Terms regarding data protection, this DPA prevails. If the SCCs apply, they prevail for international transfers.
14.1 Supervisory authority. Primary authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
14.2 Governing law & jurisdiction. EU/EEA data protection law and Estonian law (where not in conflict with the GDPR); disputes per the Terms.
14.3 Contact. Privacy & incident contact: hola@findaroo.eu.
14.4 Severability. If any provision is invalid, the remainder remains in force.
A. Data Subjects
B. Personal Data
Special categories: not intended; do not provide.
Children’s data: not intended; do not provide.
C. Purposes
Provide, maintain and support the Services; generate/verify business email addresses; cleanse/enrich/deduplicate contact data; return results; ensure security/fraud prevention; meet legal obligations.
D. Retention
E. Operations
Collection, generation, algorithmic prediction, validation (MX/SMTP/syntax), enrichment from public/business sources, deduplication, storage, transmission, deletion.
F. Location
EEA only, specifically Germany (Frankfurt) and France (Paris).
1. Governance & Access
Least-privilege; MFA for admin; unique IDs; session timeouts; RBAC; quarterly access reviews; admin action logging.
2. Physical & Infrastructure
ISO/SOC-audited facilities; visitor controls; redundant power/network.
3. Network & Application
TLS in transit; (no at-rest encryption); segmentation; firewalls/security groups; rate-limits; SDLC with code review; dependency/vuln scanning; patching; periodic security testing (incl. vuln scanning and, where appropriate, 3rd-party pen-tests) with remediation.
4. Data Management
Minimisation; no persistent backups; defined deletion for primary storage and caches.
5. Monitoring & Incidents
Self-hosted logging/monitoring in the EEA; anomaly alerting; incident response (assessment, containment, eradication, recovery, post-mortem).
6. Vendors & Sub-Processors
Due diligence; contractual TOMs; ongoing monitoring.
7. Continuity
Provider-level redundancy; procedures proportionate to the Services.
| Sub-Processor | Service | Location of Processing | Legal Basis |
|---|---|---|---|
| DigitalOcean LLC | Cloud compute & storage (IaaS) | Frankfurt (DE), Paris (FR) | N/A (EEA) |
A. Method Safeguards
Non-intrusive verification (syntax, DNS/MX, SMTP dialogue without sending content or unsolicited emails); respect server anti-abuse signals; throttle appropriately.
B. Mailbox Access
None. The Processor does not request or access Controller mailboxes.
C. Caching
Short-lived caching of verification results for performance (up to 7 days) to avoid repetitive queries.
D. Prohibited Data
No special category data, children’s data, or data not strictly necessary for B2B prospecting.
E. Transparency Support
On request, the Processor can provide Art. 14 first-contact notice templates.