Legal

Data Processing Addendum

Last updated · April 27, 2026

⚠ Template — pending legal review

This DPA is a working template and has not yet been reviewed by qualified counsel. For an executed, counter-signed DPA — required for many GDPR / UK GDPR engagements — please email contact@leakbase.ai.

This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Customer") and Leakbase, Inc. ("Leakbase"). It applies whenever Leakbase processes personal data on Customer's behalf in connection with the Service.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or in the GDPR. "Personal Data," "Processing," "Controller," and "Processor" have the meanings given in Article 4 GDPR.

2. Roles

Customer is the Controller of Personal Data uploaded to or collected via the Service. Leakbase is the Processor of that Personal Data. Each party will comply with the obligations applicable to it under the GDPR and other applicable data protection laws.

3. Scope and duration

Leakbase will Process Personal Data only for the duration of the Terms and only as needed to provide the Service or as instructed by Customer.

Subject matter: provision of the Leakbase platform.
Nature and purpose: detecting lost revenue across Customer's Connected Apps, drafting recovery messages, and reporting.
Categories of data subjects: Customer's end-customers, leads, and contacts.
Categories of data: name, email, billing address, transaction history, subscription status, and other operational data emitted by Connected Apps.

4. Customer instructions

Leakbase will Process Personal Data only on documented instructions from Customer (including those in the Terms, this DPA, and configuration choices made in the Service), unless required to do otherwise by law. If legally required, Leakbase will inform Customer before Processing, unless prohibited.

5. Confidentiality

Leakbase ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.

6. Security

Leakbase implements appropriate technical and organizational measures, including: encryption in transit (TLS 1.2+), encryption at rest, row-level security on the database, principle of least privilege, MFA for production access, audit logging, and regular vulnerability scanning. Detailed measures are described in our Security overview.

7. Sub-processors

Customer authorizes Leakbase to engage the sub-processors listed below. Leakbase will impose data protection obligations no less protective than those in this DPA on each sub-processor and remains liable for their acts and omissions.

  • Supabase, Inc. — database, authentication, storage, edge functions (US/EU).
  • Stripe, Inc. — payment processing and Connect (US).
  • Cloudflare, Inc. — CDN, DNS, edge runtime (global).
  • Google LLC — Gemini AI models for recovery message drafting (US).
  • OpenAI, L.L.C. — GPT models for recovery message drafting (US).

We will give Customer at least 30 days' notice (by email and on this page) before adding or replacing any sub-processor. Customer may object on reasonable data-protection grounds; if Leakbase cannot accommodate the objection, Customer may terminate the affected portion of the Service.

8. Data subject rights

Leakbase will, taking into account the nature of the Processing, assist Customer (by appropriate technical and organizational measures, insofar as possible) to fulfill its obligation to respond to data subject requests.

9. Personal data breach

Leakbase will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide reasonable cooperation in investigation and notification.

10. International transfers

Where Personal Data is transferred outside the EEA / UK / Switzerland, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller-to-Processor, Commission Decision 2021/914) and the UK International Data Transfer Addendum are incorporated by reference and apply to such transfers, with Customer as data exporter and Leakbase as data importer.

11. Audits

Once per twelve-month period, Customer may, at its expense, request a copy of Leakbase's most recent third-party security report (when available) or submit a reasonable written security questionnaire, which Leakbase will respond to within 30 days.

12. Deletion

On termination of the Service, Leakbase will delete or return all Personal Data within 30 days, unless legally required to retain it. Backups containing Personal Data are overwritten on a rolling basis within 90 days.

13. Liability

The parties' liability under this DPA is subject to the limitations in the Terms of Service.

14. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data.

15. Signature

This DPA is incorporated into the Terms by reference. By accepting the Terms, Customer accepts this DPA. Customers requiring a counter-signed copy should email contact@leakbase.ai.