Data Processing Agreement
Last updated: April 10, 2026
This DPA governs the processing of personal data between DothaLeads (Processor) and you, the Customer (Controller), as required by GDPR Art. 28.
1. Definitions
Controller: The customer purchasing DothaLeads data. Processor: Dothamina.ai operating DothaLeads. Personal Data: B2B contact data provided by DothaLeads.
2. Processing Instructions
We process personal data only on documented instructions from the Controller — i.e. to provide the contracted service. You instruct us to collect, store, and deliver B2B contact data for your sales and marketing activities.
3. Controller Obligations
- Use data only for lawful B2B purposes
- Honour opt-out/erasure requests immediately
- Include required legal notices in outreach
- Maintain records of processing activities
- Comply with all applicable data protection laws
4. Processor Obligations (DothaLeads)
- Process data only as instructed
- Implement appropriate technical and organisational security measures
- Assist Controller in responding to data subject rights requests
- Notify Controller of any data breach within 72 hours
- Delete or return data upon contract termination
5. Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database storage | EU (Frankfurt, Germany) |
| Cloudflare | CDN and hosting | Global (EU-first) |
6. International Transfers
Data is stored in the EU. Any transfers outside the EEA are governed by Standard Contractual Clauses (SCCs).
7. Security Measures
- Encryption at rest and in transit (TLS 1.2+)
- Access controls and authentication
- Regular security audits
- Incident response procedures
8. Duration
This DPA remains in effect for the duration of the service agreement and terminates automatically upon cancellation.
9. Governing Law
Spanish law and GDPR. Disputes in courts of Barcelona, Spain.
Request a Signed DPA
For a countersigned DPA document, email 📧 [email protected]