Legal · For procurement

Data Processing Addendum

First draft — pending attorney review. Not legal advice.

TEMPLATE — not legal advice. Have a lawyer review before the first enterprise customer signs it. This exists so a procurement question never stalls a deal: 90% of "do you have a DPA?" requests are satisfied by a document of exactly this shape.

Between: Atlantis LLC, d/b/a SignalCore ("Processor") and the customer identified in the applicable order form ("Controller").

Effective date: the date of the underlying service agreement.

1. Roles & scope

1.1. Controller owns and controls all personal data collected from its website(s) via the SignalCore tracker. Processor processes that data solely to provide the SignalCore service: session analytics, visitor-intelligence enrichment, intent scoring, alerting, reporting, and delivery of data to destinations the Controller configures (CRM, ad platforms, notification channels).

1.2. Processor does not sell personal data, does not use Controller data to train models, and does not combine one Controller's data with another's. All intelligence flows to the Controller's own systems.

2. Data processed

CategoryDetailGate
Session telemetryPage paths, dwell time, clicks, video engagement, referrer, coarse geo (city/region/postal)Always on (legitimate interest — same basis as standard web analytics)
Pseudonymized network identifiersIP address HMAC-hashed with a per-Controller secret; raw IP never storedAlways on
Company enrichmentReverse-IP company resolution via subprocessorsOnly after visitor consent (Controller's cookie banner)
Email identifiersSHA-256 hash of form-submitted email (unsalted, for ad-platform matching)Only after visitor consent
Person-level identityName/title/LinkedIn via RB2B (visitors who opted into RB2B's network)Only after visitor consent

3. Controller obligations

3.1. Controller maintains a lawful basis (and where required, consent mechanism) for the tracking described above, and wires its consent signal to the tracker per the install guide. The tracker ships with consent off by default.

3.2. Controller is responsible for the accuracy of destinations it configures (CRM credentials, ad pixels, webhook URLs).

4. Processor obligations

4.1. Confidentiality. Access limited to personnel who need it to operate the service.

4.2. Security. Transport encryption (TLS) on all data in transit; storage on Cloudflare's infrastructure (D1/KV/Analytics Engine); per-Controller HMAC peppers for IP pseudonymization; secrets stored in the platform secret store, never in code; admin access authenticated and audit-logged.

4.3. Retention. Raw interaction events: 90 days. Per-path engagement: 180 days. Sessions: 13 months. Dispatch/audit logs: 12 months. Client-uploaded account lists (pipeline/target contacts): 25 months. Enforced automatically by scheduled deletion.

4.4. Deletion & data-subject requests. On Controller request, Processor erases a data subject (by session, company, or hashed email) within 30 days via the built-in erasure facility, and confirms counts of records removed. On termination, Processor deletes the Controller's tenant data within 30 days, including destruction of the Controller's identity-pseudonym key (crypto-shredding) — visitor IP pseudonyms are HMAC-derived with a per-Controller secret, and destroying that secret renders every stored pseudonym permanently unlinkable, including in any backup.

4.5. Breach notice. Processor notifies Controller without undue delay (and within 72 hours) of becoming aware of a personal-data breach affecting Controller data.

4.6. Assistance. Processor provides reasonable assistance with Controller's DPIAs and data-subject requests insofar as they concern SignalCore-processed data.

5. Subprocessors

Controller authorizes the subprocessors listed below. Processor will give 30 days' notice before adding or replacing any subprocessor; Controller may object on reasonable data-protection grounds.

SubprocessorPurposeData sharedLocation
Cloudflare, Inc.Hosting, storage (Workers/D1/KV/Analytics Engine/Queues), CDNAll service dataGlobal edge (US-controlled)
IPinfo (IPinfo.io)IP classification (bot/datacenter/ISP filtering) and company lookupVisitor IP (transient, consent-gated)US
Apollo.ioCompany firmographic enrichmentCompany domain/name derived from IP (consent-gated)US
RB2BPerson-level identity for visitors in RB2B's opt-in networkVisitor IP (consent-gated, US visitors only)US
Resend, Inc.Transactional email (reports, alerts)Report contents, recipient email (Controller's own staff)US
ntfy.sh (or self-hosted ntfy)Push notifications to Controller's devicesAlert text (company name, score)EU/US
Meta Platforms / CRM vendors / SlackController-configured destinations — only active if Controller connects themHashed email, event metadataPer vendor

6. Transfers

Data is processed in the United States on Cloudflare infrastructure. For Controllers subject to GDPR, the parties rely on the EU-U.S. Data Privacy Framework participation of the relevant subprocessors and/or Standard Contractual Clauses incorporated by reference.

7. Audit

Processor will, no more than annually and under NDA, answer reasonable written security questionnaires and provide summaries of its security practices in lieu of on-site audits.

8. Liability & order of precedence

This DPA is subject to the limitations of liability in the underlying agreement. If this DPA conflicts with the underlying agreement on data-protection matters, this DPA controls.


Signatures

ControllerProcessor
NameHouston Hanna
TitleOwner, Atlantis LLC
Date