Leapware

DATA PROCESSING AGREEMENT (DPA)

Last updated: February 2026

BETWEEN:

  1. The Client (as identified in the Order Confirmation), hereinafter referred to as the "Data Controller"; and

  2. Leapware B.V., established at H.J.E. Wenckebachweg 123, 1096 AM Amsterdam, registered with the Chamber of Commerce under number 99044358, hereinafter referred to as the "Data Processor".

(Each a "Party" and together the "Parties")

Article 1. Definitions

1.1 Capitalized terms used in this DPA shall have the meanings set forth in the General Terms of Service, unless defined otherwise below.

1.2 The following terms have the meanings ascribed to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"):

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach".

1.3 "Sub-processor": Any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.

1.4 "Third Party Data": Personal Data originating from third-party sources (specifically Creditsafe Nederland B.V. and the Chamber of Commerce) provided to the Data Controller via the Service.

Article 2. Subject Matter and Roles

2.1 Scope of Processing This DPA governs the Processing of Personal Data by Leapware B.V. on behalf of the Client in the context of providing the HubSpot Application services (the "Service"). The nature and purpose of the Processing are limited to those necessary to provide the functionality of the App, including: a. Retrieving and displaying data within the Client’s HubSpot environment; b. Enriching Client records with Third Party Data; c. Technical storage and synchronisation of data logs required for the functioning of the App.

2.2 Roles of the Parties (Hybrid Model) The Parties acknowledge and agree that their roles under the GDPR vary depending on the data flow:

A. Client Data (HubSpot Data): Regarding Personal Data originating from the Client’s HubSpot portal (e.g., search queries, existing CRM records), the Client is the Controller and Leapware B.V. is the Processor.

B. Third Party Data Supply: Regarding the supply of Third Party Data (e.g., credit reports, KVK extracts), the Parties acknowledge that the upstream providers (Creditsafe Nederland B.V. and KVK) act as Independent Controllers. Leapware B.V. acts as a gateway for this data. Once this data is incorporated into the Client’s HubSpot environment, the Client becomes the Controller of that record, and Leapware B.V. processes it as a Processor for storage/display purposes.

2.3 Client Instructions Leapware B.V. shall process Personal Data only in accordance with the documented instructions of the Client, which include this DPA and the functions selected by the Client within the App (e.g., clicking "Update Company"), unless required to do otherwise by Union or Member State law to which Leapware B.V. is subject.

2.4 Costs for Assistance If the Client requests assistance from Leapware B.V. regarding Data Subject rights (access, rectification, deletion) or data exports that go beyond the standard functionality of the Service, Leapware B.V. is entitled to charge reasonable costs for such assistance based on its standard hourly rates.

Article 3. Security and Confidentiality

3.1 Technical and Organizational Measures Leapware B.V. shall implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures shall ensure a level of security appropriate to the risk, including at a minimum: a. The use of secure and encrypted connections (SSL/TLS) for data transmission; b. Access controls ensuring that only authorized personnel have access to the Personal Data; c. Regular testing and evaluation of the effectiveness of the security measures.

3.2 Confidentiality of Personnel Leapware B.V. ensures that persons authorized to process the Personal Data (including employees and contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation survives the termination of their employment or engagement.

3.3 Personal Data Breach Notification In the event of a Personal Data Breach affecting the Client’s data, Leapware B.V. shall notify the Client without undue delay after becoming aware of the breach. The notification shall, to the extent available at that moment, include: a. The nature of the breach and the categories of data concerned; b. The likely consequences of the breach; c. The measures taken or proposed to mitigate possible adverse effects; d. A contact point where more information can be obtained.

Leapware B.V. shall keep a register of all security incidents and breaches, which may be inspected by the Client upon reasonable request.

Article 4. Sub-processors

4.1 General Authorization The Client grants Leapware B.V. a general authorization to engage third parties ("Sub-processors") to process Personal Data on behalf of the Client to provide the Service.

4.2 Approved Sub-processors The Client explicitly approves the engagement of the following entities required for the core functionality and hosting of the App:

  • Hosting & Infrastructure:

    • Heroku (Salesforce, Inc.): For application hosting and data processing.

    • HubSpot, Inc.: For CRM integration, data storage, and platform functionality.

  • Data Supply (Independent Controllers):

    • Creditsafe Nederland B.V.: For the supply of business and credit information.

    • Chamber of Commerce (KVK): For the verification of business registry data.

4.3 Changes to Sub-processors Leapware B.V. shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors at least 14 days in advance, thereby giving the Client the opportunity to object to such changes.

4.4 Liability Leapware B.V. remains fully liable to the Client for the performance of the Sub-processor’s obligations.

Article 5. International Data Transfers

5.1 Data Location Leapware B.V. warrants that the primary hosting locations for Personal Data processed via its Sub-processors (Heroku and HubSpot) are configured within the European Economic Area ("EEA").

5.2 Incidental Transfers The Client acknowledges that the Sub-processors mentioned in Article 4 are subsidiaries of companies headquartered in the United States. Therefore, limited processing outside the EEA may occur solely for specific purposes such as technical support, security maintenance, or platform stability.

5.3 Safeguards Leapware B.V. warrants that any such incidental transfer of Personal Data to a third country outside the EEA shall only take place if appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include: a. The existence of an Adequacy Decision by the European Commission (such as the EU-US Data Privacy Framework which covers HubSpot, Inc. and Salesforce, Inc.); or b. The conclusion of Standard Contractual Clauses (SCCs) as approved by the European Commission.

5.4 Flow-Down of Supplier Requirements In accordance with the requirements of Leapware B.V.’s data suppliers (Creditsafe), the Client agrees that if Personal Data originating from Creditsafe is transferred by the Client itself to a location outside the EEA, the Client shall comply with the applicable SCCs or equivalent protection mechanisms.

Article 6. Audit and Compliance

6.1 Right to Audit The Client has the right to verify compliance with this DPA. To this end, the Client may request an audit once per calendar year, or in the event of a suspected data breach.

6.2 Audit Procedure Audits shall be performed by an independent third-party auditor mutually agreed upon by the Parties. The audit shall be conducted during normal business hours and with reasonable prior notice (at least 30 days), ensuring minimal disruption to Leapware B.V.’s business operations.

6.3 Third Party Reports Leapware B.V. may satisfy the audit requirement by providing recent Third Party Audit Reports (such as SOC 2, ISO 27001, or equivalent reports from its hosting providers Heroku/HubSpot) covering the scope of the Processing.

6.4 Supplier Audits (Mandatory) The Client acknowledges that Leapware B.V.’s data suppliers (Creditsafe and KVK) reserve the right to audit the use of their Data. The Client agrees to reasonably cooperate with Leapware B.V. in the event such an audit is requested by these Third Party Providers to verify compliance with the usage restrictions (such as the Non-Mailing Indicator).

6.5 Costs The Client shall bear all costs associated with an audit requested under Article 6.1, unless the audit reveals a material breach of this DPA by Leapware B.V.

Article 7. Term and Termination

7.1 Duration This DPA is valid for as long as Leapware B.V. processes Personal Data on behalf of the Client under the Terms of Service.

7.2 Consequences of Termination Upon termination or expiration of the Agreement, Leapware B.V. shall, at the choice of the Client, delete or return all Personal Data to the Client, and verify that all Sub-processors have done the same, unless Union or Member State law requires storage of the Personal Data. If the Client requests the return of Personal Data in a specific format that differs from the standard export functionality of the App, Leapware B.V. is entitled to charge reasonable costs for such export.

ANNEX 1: DETAILS OF PROCESSING

1. Categories of Data Subjects Leapware B.V. processes Personal Data regarding the following categories of data subjects:

  • Prospects and Clients of the Client (whose data is stored in the Client's HubSpot environment).

  • Employees of the Client (Authorized Users of the App).

  • Business Relations (directors/owners) identified in the Third Party Data (Creditsafe/KVK).

2. Types of Personal Data The following types of Personal Data may be processed:

  • Client Data: Name, email address, phone number, job title, company details, interaction data within HubSpot.

  • Enriched Data: Financial data, credit scores, director names, UBO information (derived from Creditsafe/KVK).

  • System Data: IP addresses, login logs, usage statistics.

3. Nature and Purpose of Processing The processing is performed for the following purposes:

  • Validation and enrichment of business data (Credit checks, KVK checks) within HubSpot.

  • Marketing Automation and nurturing of leads via workflows.

  • Technical monitoring, maintenance, and improvement of the App.

4. Categories of Recipients

  • The Data is processed by Leapware B.V. and its authorized Sub-processors (Hosting & Infrastructure).

  • Third Party Data is sourced from Creditsafe and KVK (Independent Controllers).

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement upon the Client's acceptance of the Terms of Service.

Leapware B.V. (Data Processor)