Data Processing Agreement

Last updated: 5 June 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between FRAXBIT DIGITAL SRL ("Fraxbit," "we," or "Processor") and the customer that uses ClosePeak (the "Customer" or "Controller"). It applies whenever Fraxbit processes personal data on behalf of the Customer in connection with the ClosePeak service (the "Service"). It should be read together with our Privacy Policy and GDPR & Public Data Policy.

Roles in plain terms. When you use ClosePeak to find and contact prospects, you are the data controller and decide who to contact and what to send. Fraxbit acts as your processor for that data. Fraxbit is the controller only for your own account information, which is covered by the Privacy Policy.

1. Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "personal data breach" have the meanings given to them in the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR (together, "Data Protection Law"). "Sub-processor" means any third party engaged by Fraxbit to process personal data on the Customer's behalf.

2. Scope and roles

For personal data that Fraxbit processes on the Customer's behalf through the Service, the Customer is the controller and Fraxbit is the processor. Each party will comply with its obligations under Data Protection Law. The Customer is responsible for establishing a lawful basis for the processing and for ensuring its outreach is lawful in its own jurisdiction and that of each recipient.

3. Subject matter, nature, and purpose of processing

  • Subject matter and duration:processing for the provision of the Service, for the duration of the Customer's use of the Service.
  • Nature and purpose: discovery of publicly available business contact data, storage of prospects and leads, AI-assisted drafting of outreach messages, and related features the Customer chooses to use.
  • Types of personal data:business contact details of prospects (such as business name, business email, phone, address, and website) and the account data of the Customer's own users.
  • Categories of data subjects:owners, managers, and staff of the businesses the Customer searches for, and the Customer's own authorised users.

4. Fraxbit's obligations as processor

In line with Article 28 GDPR, Fraxbit will:

  • process the personal data only on the Customer's documented instructions (the Customer's configuration and use of the Service constitute such instructions), unless required to act otherwise by law;
  • ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality;
  • implement appropriate technical and organisational security measures as required by Article 32 (see Annex 3);
  • respect the conditions in section 5 for engaging sub-processors;
  • taking into account the nature of the processing, assist the Customer with appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights;
  • assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation (Articles 32 to 36);
  • at the Customer's choice, delete or return all personal data at the end of the provision of the Service, unless retention is required by law;
  • make available to the Customer the information necessary to demonstrate compliance with this section, and allow for and contribute to audits as described in section 7.

5. Sub-processors

The Customer grants Fraxbit general authorisation to engage sub-processors to provide the Service. Fraxbit imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. A current list of sub-processors is maintained in our Privacy Policy and summarised in Annex 2. Fraxbit will inform the Customer of any intended change of sub-processors, giving the Customer the opportunity to object on reasonable data-protection grounds by emailing contact@fraxbit.com.

6. International transfers

Where personal data is transferred to a country outside the European Economic Area, Fraxbit ensures an appropriate transfer mechanism is in place, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with any additional safeguards required by Data Protection Law.

7. Audit

Fraxbit will, on reasonable prior written notice and no more than once per year (unless required by a supervisory authority), make available information reasonably necessary to demonstrate compliance with this DPA and contribute to audits, provided that audits respect Fraxbit's confidentiality and security obligations and do not disrupt the Service.

8. Personal data breach

Fraxbit will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and will provide reasonable information to help the Customer meet its own notification obligations.

9. Return and deletion

On termination of the Service, or on the Customer's written request, Fraxbit will delete or return the personal data processed on the Customer's behalf, subject to any retention required by law.

10. Liability and term

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect when the Customer accepts the Terms or starts using the Service, and remains in force for as long as Fraxbit processes personal data on the Customer's behalf.

11. How to enter into this DPA

By accepting the Terms of Service and using ClosePeak, the Customer agrees to this DPA, and no separate signature is required for it to take effect. If your organisation requires a countersigned copy for its records, email contact@fraxbit.com and we will arrange one.

Annex 1 - Details of processing

  • Subject matter: provision of the ClosePeak Service.
  • Duration: the term of the Customer's use of the Service.
  • Nature and purpose: discovery of public business contact data, storage, AI-assisted outreach drafting, and related features.
  • Personal data: business contact details of prospects; Customer account data.
  • Data subjects: staff and owners of prospect businesses; Customer users.

Annex 2 - Sub-processors (summary)

The maintained list lives in the Privacy Policy. As of the date above it includes, by category:

  • AI provider for text generation (model inference).
  • Business-data and website-analysis providers (maps, listings, performance).
  • Payment provider (subscription billing).
  • Email delivery provider (transactional and verification email).
  • Cloud hosting and infrastructure provider.

Annex 3 - Security measures

  • Encryption of data in transit using TLS.
  • Encryption of sensitive credentials at rest (for example, AES-256-GCM).
  • Passwords stored only as salted hashes.
  • Access controls, authentication, and the principle of least privilege.
  • Regular, retained database backups.
  • Use of reputable infrastructure and service providers.

Contact

For any question about this DPA, email contact@fraxbit.com. FRAXBIT DIGITAL SRL is a company registered in Romania.