Qualified Deals

Data Processing Addendum

Effective Date: 29 May 2026

Last Updated: 29 May 2026

This Data Processing Addendum (“DPA”) governs the processing of personal data by Gallivant Ventures LLP, trading as Qualified Deals (“Processor”), on behalf of the Client (“Controller”) under a Database Hygiene engagement. It forms part of and is incorporated into the Terms and Conditions. In the event of conflict between this DPA and the Terms and Conditions, this DPA prevails for the subject matter it covers.

This DPA is designed to satisfy the requirements of GDPR Article 28 (EU/UK) and the Digital Personal Data Protection Act, 2023 (India) for the processor relationship in Database Hygiene engagements. It applies when the Client shares CRM or contact data with Qualified Deals for verification, cleaning, or enrichment.

1. Subject Matter and Nature of Processing

Qualified Deals will process personal data provided by the Client solely for the purpose of verifying, cleaning, and enriching CRM contact records as defined in the agreed Scope Document. Processing activities include: email address verification (SMTP validation), LinkedIn employment verification, job title and company name verification, and replacement of stale or incorrect records with updated information sourced through our standard research methodology.

2. Duration

Processing commences on receipt of the Client’s CRM data and concludes on final delivery of the cleaned file to the Client. Client data is retained for 30 days after delivery to support revision requests, then permanently deleted in accordance with the retention terms in the Privacy Policy and Section 7 of the Terms and Conditions.

3. Types of Personal Data

The personal data processed under this DPA is limited to business contact information: full name, job title, business email address, business phone number, company name, LinkedIn profile URL, and country/region. Qualified Deals does not process sensitive personal data (as defined under GDPR Article 9 or DPDP Act 2023) under any Database Hygiene engagement.

4. Categories of Data Subjects

Data subjects are employees, contractors, or representatives of business organisations appearing in the Client’s CRM who have provided their business contact details in a professional capacity.

5. Processor Obligations

  • Instructions: Qualified Deals processes Client data only on documented instructions from the Client, as specified in the Scope Document. If we believe an instruction infringes applicable data protection law, we will notify the Client promptly.
  • Confidentiality: All team members with access to Client data are bound by confidentiality obligations. Access is limited to named team members on the specific engagement.
  • Security: We implement the technical and organisational measures described in Section 11 of our Privacy Policy, including TLS/SSL encryption in transit, encryption at rest, access controls, and multi-factor authentication on internal systems.
  • Sub-processors: We use the following sub-processors in the course of Database Hygiene engagements: Google Workspace (cloud storage and email), Dropbox (project file delivery), and SMTP verification tools. We will notify the Client of any intended changes to our sub-processor list with reasonable advance notice, and the Client may object in writing within 10 days of notification.
  • Data subject rights: We will assist the Client in responding to data subject rights requests (access, rectification, erasure, restriction, portability) that relate to data processed under this DPA, within 5 business days of the Client’s written request.
  • Data protection impact assessments: We will provide reasonable assistance to the Client in conducting DPIAs where processing under this DPA is likely to result in a high risk to data subjects.
  • Deletion or return: On completion of the engagement or on the Client’s written request, we will deliver the cleaned data file and permanently delete all copies of Client-provided data from our systems within 30 days. We will confirm deletion in writing on request.
  • Audit rights: We will make available to the Client all information reasonably necessary to demonstrate compliance with this DPA, and permit and contribute to audits or inspections conducted by the Client or a mandated auditor, subject to reasonable notice and confidentiality obligations.

6. Controller Obligations

The Client warrants that: (a) it has a lawful basis for sharing the personal data with us; (b) the data subjects have been informed of the processing in accordance with applicable law; and (c) the Client’s instructions to us comply with applicable data protection law.

7. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, we will notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach, the approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

8. International Transfers

Client-provided data is processed in India and stored in cloud infrastructure operated by Google (Google Workspace) and Dropbox, which may involve processing in multiple jurisdictions. Both providers operate under Standard Contractual Clauses (SCCs) and applicable transfer mechanisms for EU/UK data. No Client data is transferred to jurisdictions restricted under applicable data protection law without appropriate safeguards.

9. Execution

This DPA is incorporated into the Terms and Conditions by reference. It takes effect when the Client confirms the Scope Document for a Database Hygiene engagement. No separate signature is required; email confirmation of the Scope Document constitutes the Client’s agreement to this DPA. Clients requiring a separately signed DPA may request one by emailing [email protected].

10. Contact

Gallivant Ventures LLP
Kochi, Kerala, India
Email: [email protected]
LLPIN: ACB-5193 · GSTIN: 32AAZFG7923K1ZR

error: Content is protected !!